Malicious PDF — malware analysis report

Static analysis result for SHA-256 15505e68108845c3…

MALICIOUS

PDF

98.3 KB Created: 2010-08-26 09:47:27 +08:00 Authoring application: Acrobat PDFMaker 8.1 for Word (via Acrobat Distiller 8.1.0 (Windows))
MD5: 2b0e6aff68124662e93188a12de27a08 SHA-1: a61e3a2ebf8a9bc97c766ec467f75e6ce3372552 SHA-256: 15505e68108845c319c7111e7fe80e1ee3dda5bfa41426dc28b99bab6d77b212
312 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains a critical heuristic firing for a launch action targeting mshta.exe, which is a known LOLBIN. This action is configured to execute a URL that resolves to an IP address, strongly indicating the download and execution of a secondary payload. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8205

Heuristics 6

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: mShTa.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters ' http://174.36.133.14/update/111.html 1 Click open to view the full info ' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • /Launch action targets mshta.exe (LOLBIN) critical PDF_LAUNCH_MSHTA
    PDF contains a /Launch action whose /F parameter names mshta — Microsoft's legacy HTML Application host, used as a LOLBIN to run inline JScript/VBScript from a /P parameter (typically a `javascript:` URL). MITRE ATT&CK T1218.005.
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://174.36.133.14/update/111.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.