Malicious PDF — malware analysis report

Static analysis result for SHA-256 05ee8389bda05042…

MALICIOUS

PDF

639.1 KB
MD5: b7a2d716502812125d27386ed31359e3 SHA-1: fb916b96045be29d7e87865702b6c24de8f8fe8d SHA-256: 05ee8389bda050421c7705dc8f9bad998812f2a1fa16c14ff84b7bd863bd2ec7
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample is a PDF that displays a fake CAPTCHA and provides instructions to run a command, likely to trick the user into executing a malicious payload. Heuristics indicate the presence of fake CAPTCHA prompts and instructions to run commands, including the sequence 'wget http://ebookleaks.org'. The embedded URL 'http://ebookleaks.org' is a primary indicator of the potential download source.

Machine Learning

  • Nyx PDF Classifier clean score 0.0043

Heuristics 5

  • Fake CAPTCHA with command-running instructions critical SE_FAKE_CAPTCHA_CLICKFIX
    Document combines fake CAPTCHA or human-verification language with instructions to paste or run a command — a high-confidence ClickFix pattern
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ebookleaks.org
    • http://hackforums.net/member.php?action=profile&uid=2582112
    • http://1lineart.kulaone.com/#/
    • http://grabify.link/
    • http://skidtools.net/login.php
    • https://pipl.com/
    • http://com.lullar.com/
    • https://namechk.com/
    • http://email.addresssearch.com/
    • http://10digits.us/
    • http://www.pipl.com/
    • http://webmii.com/
    • http://www.dgs.dk/
    • https://find-person-germany.com/
    • http://www.10digits.us/
    • http://www.reversemobile.com/index.php/
    • http://www.numberway.com/
    • http://www.phonenumber.com/
    • https://www.goyellow.da/
    • http://www.infosniper.net/
    • http://ssndob.so/login
    • http://www.advancedbackgroundchecks.com/
    • http://www.findmypast.com/
    • http://www.archives.com/search/ancestor/
    • http://www.familytreesearcher.com/
    • http://www.geoimgr.com/
    • http://exifdata.com/
    • http://leakedsource.com/
    • http://siph0n.net/
    • https://leakforums.net/
    • https://citadel.sx/
    • http://skidpaste.org/
    • http://paste4btc.com/
    • http://hackforums.net/showthread.php?tid=5231265
    • http://hackforums.net/showthread.php?tid=4692270
    • http://hackforums.net/showthread.php?tid=4892146
    • http://wizblogger.com/get-fake-mobile-numbers-to-bypass-verification/
    • http://hackforums.net/[/url
    • http://webmii.com/���
    • http://www.dgs.dk/���
    • https://find��person��germany.com/���
    • https://www.goyellow.da/���
    • http://www.infosniper.net/���
    • http://ssndob.so/login���
    • http://leakedsource.com/���
    • http://hackforums.net/showthread.php?tid=5231265���
    • http://wizblogger.com/get��fake��mobile��numbers��to��bypass��verification/
    • http://www.monotype.comMonotype
    • http://www.monotypeimaging.com/http://www.monotypeimaging.com/ProductsServices/TypeDesignerShowcaseNOTIFICATION
    • http://www.monotypeimaging.com/html/license.aspx
    +51 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0007cdf0.bin
3c839247b313c15315f0117fa9e95382bfe3993b266006877e70765938f2b685		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CDF0 58116 bytes
font_01_sfnt_off000854ed.bin
920182096a0603d7b9a49dc054b3b704ba6ea39594651f1f6684cf68333e4752		 pdf-font-stream PDF embedded font (sfnt) at offset 0x854ED 68092 bytes
font_02_sfnt_off0008fb00.bin
7e974e49a975874d8722d969220a9ea10cedaa1dd14f43f995d6868ca8134c06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FB00 16780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.