Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f1dca6626f64090…

MALICIOUS

PDF

9.1 KB Created: 2013-09-23 06:01:47 -02:00 Authoring application: htmldoc 1.8.23 Copyright 1997-2002 Easy Software Products, All Rights Reserved.
MD5: 4ab336ddfb1bc4e86f1b20432c3df065 SHA-1: b066cbf219381576d2ea4905b98d4fef19697af3 SHA-256: 0f1dca6626f640902ca671a591f7559352631fe49a228ab235373b9fa86232c9
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF document contains a malicious URI that attempts to exploit a vulnerability in PDF readers, specifically targeting the 'mailto:' handler. The URI 'mailto:test%../../../../windows/system32/calc.exe".cmd' suggests an attempt to execute the command interpreter, likely to download and run a second-stage payload. The ML classifier also flagged this PDF as malicious, supporting the assessment of an exploit attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8822

Heuristics 4

  • PDF URI references command interpreter path high PDF_DANGEROUS_URI_COMMAND
    PDF contains a /URI action whose target uses a mailto/path traversal shape and references a command interpreter or scripting host. This is not a normal web link and matches legacy PDF command execution/dropper lures.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-10/msg00093.html
    • http://secdev.zoller.lu
    • http://lists.grok.org.uk/full-disclosure-charter.html
    • http://www.derkeiler.com/Mailing���Lists/Full���Disclosure/2007���10/msg00093.html
    • http://lists.grok.org.uk/full���disclosure���charter.html
    • http://secunia.com/

Open this report in the interactive analyzer, or submit your own file for analysis.