Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d1141507acf46fa…

MALICIOUS

PDF

19.9 KB Created: 2017-11-10 15:16:38 +01:00 Authoring application: wkhtmltopdf 0.12.3 (via Qt 4.8.7)
MD5: a9bd2e795dcc2b5853844a3d326db1cc SHA-1: 27b350f70e51fffa84ecaf8240296628d663e2ce SHA-256: 0d1141507acf46fa0fdaf0c5b4e95d77c636dc060b4abd2b74ca191bd3083b87
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file is identified as malicious by ClamAV and exhibits characteristics of a phishing lure, using an image to obscure a clickable link. The embedded URL, https://www.reliancetechnologies.lk/lda/baixar/we/in/index.html, is the primary indicator of a potential malicious destination. The file's structure and heuristics suggest it's designed to exploit user interaction to redirect them to a harmful site.

Machine Learning

  • Nyx PDF Classifier clean score 0.2216

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7228035-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7228035-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 19 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.reliancetechnologies.lk/lda/baixar/we/in/index.html
    • http://www.monotype.comMonotype
    • http://wenq.org/
    • https://wetransfer.com/plus?trk=WT201704_email&utm_campaign=WT_email_tracking&utm_content=general&utm_medium=plus_footer_ad_link&utm_source=notify_recipient_email
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
    • http://nmr.mgh.harvard.edu/~fangq/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000020d7.bin
6e61c59ab097d7eaa36801ff074ac790baf91debf92c4948359b87e311b081dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20D7 12764 bytes
font_01_sfnt_off000043c5.bin
38fbf1c2d61d4661f82139168c5c0020d635a4d89370245730b0d6ff9698de96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43C5 3096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.