Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d3d4d9128c9e2af…

MALICIOUS

PDF

2.49 MB Created: 2015-01-09 13:46:11 +09:00 Authoring application: Microsoft® Office PowerPoint® 2007
MD5: 5831de8a606e34bae1c37660ee17a40e SHA-1: c2e200156da18bbf44c5041e41d53d493c49d2b9 SHA-256: 2d3d4d9128c9e2af4d12f68ddd51dbd6edaa8c6ad203a406e89f6859190572d6
88 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains embedded JavaScript and a direct link to an executable file hosted on an IP address. The heuristic 'PDF_DIRECT_PAYLOAD_LINK' specifically flags this behavior, indicating the document's intent is to trick the user into downloading and running 'client.exe'. The presence of embedded JavaScript further suggests potential for more complex malicious actions.

Heuristics 4

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.0.223/admin
    • http://demo.seetrol.com:7070/
    • http://������ip:7070/
    • http://192.168.0.223/
    • http://192.168.0.223/client.exe
    • http://192.168.0.223/center.exe
    • http://192.168.0.223/vclient.exe
    • http://www.seetrol.co.kr/
    • http://demo.seetrol.com/
    • http://knowhow.seetrol.com:7070/
    • http://knowhow.seetrol.com/
    • http://yourhost.seetrol.com:7070/
    • http://knowhow.seetrol.com:12345/
    • http://demo.seetrol.com:7070/admin
    • http://www.iec.ch
    • http://youtu.be/bLJqOUnVWNw

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_074_off0012ab48.bin
8e6a7a5e5e2dc994745e8dfdb59a2289ee8b5ba705813d5ea63619f78190e76b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12AB48 1260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.