Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ecaf61fb110bdcb…

MALICIOUS

PDF

126.2 KB Created: 2022-06-14 03:33:07 Authoring application: King Of The Rings Hockey Tournament Schedule rootsudo (via FPDF 1.82) First seen: 2022-07-15
MD5: 0e8e676d4a3260871e137946aa295810 SHA-1: 28d618bd32eb60a7ee2ac114f83f2a6396f5095e SHA-256: 0ecaf61fb110bdcb69dd8cdfb5cf7a22aa1d452a910a75db3442644abadc3a0b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded URLs and invisible links designed to trick the user into downloading a payload. The heuristic 'PDF_REPEATED_PAYLOAD_LINK_LURE' indicates that these links are intended to deliver a file, likely malicious, from the domain 'yoreparosavage.site'. While no scripts were directly extracted, the nature of the embedded links suggests a potential for JavaScript execution or further exploitation.

Machine Learning

  • Nyx PDF Classifier clean score 0.0026

Heuristics 2

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yoreparosavage.site/King-Of-The-Rings-Hockey-Tournament-Schedule/pdf/bebron.com
    • http://yoreparosavage.site/King-Of-The-Rings-Hockey-Tournament-Schedule/doc/bebron.com
    • https://bebron.com/wp-content/uploads/formidable/3/sample-praecipe-to-open-default-judgment-pennsylvania.pdf
    • https://bebron.com/wp-content/uploads/formidable/3/microsoft-new-computer-offer.pdf
    • https://bebron.com/wp-content/uploads/formidable/3/authentication-is-required-you-need-sign-into-your-google-account.pdf
    • https://bebron.com/wp-content/uploads/formidable/3/sample-consulting-proposal-letter.pdf
    • https://bebron.com/wp-content/uploads/formidable/3/slim-dunkin-death-report.pdf
    • https://bebron.com/wp-content/uploads/formidable/3/application-of-green-energy.pdf
    • https://bebron.com/wp-content/uploads/formidable/3/fopner-crop-lien-system.pdf
    • https://bebron.com/wp-content/uploads/formidable/3/aaron-hernandez-contract-clause.pdf
    • https://bebron.com/wp-content/uploads/formidable/3/city-of-ottawa-skating-helmet-bylaw.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_028_off0001eb5c.bin
43b13684882d332187dbe2691d5e4f64c33a98e381a4dc2316374ba1b923b47c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1EB5C 76950 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.