PDF malware analysis — malicious · 0f2e8dfdb29174af

MALICIOUS

PDF

131.5 KB Created: 2016-04-26 12:12:28 -04:00 Authoring application: Soda PDF Server

MD5: ac19a638ba4be6ca2582b080d87f374f SHA-1: 2abffea1b6d10a4d8d55d6e8fa79780295830863 SHA-256: 0f2e8dfdb29174af065c441f9c7b75713271f27714edb0f76af67c2b6bad88e5

170 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple critical heuristics indicating it is a dropper. It uses invisible and repeated links to deliver a payload, specifically an executable file from the URL http://67.23.226.12/~britcous/curtis/PAYMENT_SWIFT_TT_COPY_SCA.scr. A URL shortener, http://tinyurl.com/nv66est, is also present, likely to obfuscate the final destination. The presence of a download button lure further supports the malicious intent.

Machine Learning

Nyx PDF Classifier clean score 0.1327

Heuristics 6

Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE

PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
ClamAV: Pdf.Dropper.Agent-7229234-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7229234-0
Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI

PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL

PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://67.23.226.12/~britcous/curtis/PAYMENT_SWIFT_TT_COPY_SCA.scr
- http://ocsp.verisign.com0
- http://tinyurl.com/nv66est
- http://www.iec.ch
- http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYou
- http://www.microsoft.com/typography/fonts/default.aspx
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
- http://www.microsoft.com/typography
- http://crl.verisign.com/ThawteTimestampingCA.crl0
- http://crl.verisign.com/tss-ca.crl0
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0O
- http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000056e.bin` `346d447c60325bab9db30abfb12df0c68fc2cadb13faad1c67605cab60510032`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x56E	168868 bytes
`font_01_sfnt_off00013ec1.bin` `1b4525009946580779a9aa3510a41286d537367fe59b52f55ebda5147e3ec26c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13EC1	92776 bytes
`font_02_sfnt_off0001a3b3.bin` `24cc8944cf9f875df63c5796291a6c9abe893b58de9f8a4869a23034767a4294`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A3B3	81588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.