Malicious PDF — malware analysis report

Static analysis result for SHA-256 2fa6f2b3113c126a…

MALICIOUS

PDF

15.21 MB First seen: 2022-11-10
MD5: 5b6648ba323b764067216c80940fc09e SHA-1: 053333a4cb7fe55ca7948080762e316b750f54be SHA-256: 2fa6f2b3113c126ad034ee29efad628b7bc5c66a5b10c7002b7ae5c24d0cd7fd
154 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The PDF document exhibits high maliciousness based on ML classification and contains heuristics indicating a lure for recovery secrets and clipboard command execution. The document's content, though heavily obfuscated, suggests a social engineering tactic to extract sensitive information by instructing the user to interact with command-line interfaces. No scripts were extracted, limiting further analysis of payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8498

Heuristics 5

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://learnlinux.tv
    • https://github.com/
    • https://static.packt-cdn.com/
    • https://www.virtualbox
    • https://learnlinux.link/install_ubuntu_server
    • http://www.pathname.com/fhs/
    • https://learnlinux.link/lcb_filesystem
    • https://learnlinux.link/vim
    • https://www.commandlinefu.com/commands/browse
    • https://learnlinux.link/tmux
    • http://www.hamvocke.com/blog/
    • https://tmuxcheatsheet.com/
    • https://www.linuxatemyram.com/
    • https://learnlinux.link/lvm
    • https://www.fail2ban.org/wiki/index.php/MANUAL_0_8
    • https://microk8s.io/docs/addons
    • https://microk8s.io/
    • https://microk8s.io
    • https://learnlinux.link/learn-ansible
    • https://help.github.com/articles/set-up-git/
    • https://www.github.com
    • https://tecadmin.net/how-to-setup-lets-encrypt-on-ubuntu-20-04/
    • https://netplan.io/faq
    • http://learnlinux.tv
    • http://LearnLinux.tv
    • http://www.hamvocke.com/blog/a-quick-and-easy-guide-to-tmux/
    • http://www.learnlinux.tv
    • https://static.packt-cdn.com/downloads/9781800564640_ColorImages.pdf
    • https://github.com/PacktPublishing/
    • https://github.com/PacktPublishing/Mastering-Ubuntu-Server_Third-Edition
    • http://packt.com
    • http://www.packt.com
    • https://www.packtpub.com/product/mastering-kubernetes-third-edition/9781839211256
    • https://www.amazon.com/dp/1800564643
    • https://www.digitalocean.com/community/tutorials/an-introduction-to-raid-terminology-and-concepts
    • https://git-scm.com/book/en/v2
    • https://ubuntu.com/server/docs/reporting-bugs
    • http://www.packtpub.com/submit-errata
    • http://authors.packtpub.com
    • https://www.ubuntu.com/download/server
    • https://www.balena.io/etcher/
    • https://ubuntu.com/download/raspberry-pi
    • https://ubuntu.com/server/
    • https://help.ubuntu.com/
    • http://packages.ubuntu.com/
    • http://us.archive.ubuntu.com/ubuntu/
    • https://launchpad.net/ubuntu/+ppas
    • https://wiki.ubuntu.com/Kernel/
    • https://ubuntu.com/server/docs
    • https://help.ubuntu.com/community/UsingTheTerminal
    +82 more URL(s)

Extracted artifacts 21

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0001f783.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x1F783 3144 bytes
font_00_sfnt_off0000405a.bin
75194a52590d6716f32355115855d7bc593132bc49bb4b3aacb30ea4553b70e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x405A 25373 bytes
font_01_sfnt_off000081a3.bin
73cf65ea20101ea6beb352d2224f14dd5b9a59bf400f703a13d1e8f1534feb27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81A3 71016 bytes
font_02_sfnt_off000109de.bin
144105c053a8244c4365bc5ba2c3850999665635aa50960714d89c2874c9dc3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109DE 22479 bytes
font_03_sfnt_off000145d4.bin
6319fde61757e4c95bdafec3ef6c1bd23db0a0204c4524edecf67c41171369a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x145D4 21307 bytes
font_04_sfnt_off00018270.bin
ad09aaae19b55cd9de0db366cb051b7d109fa6745ca00f0ca5ddbc71513c6819		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18270 67004 bytes
font_05_sfnt_off00021bf7.bin
fac9cf6d4613c2d49d37d7de8414cfa0d16c4f940f0213fd4830b52b035cc8e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21BF7 17343 bytes
font_06_sfnt_off00042d4d.bin
6d82000f605bc674b587d0c93db2db759f4094681ea84da56cccc77d50bfd9e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x42D4D 42906 bytes
font_07_sfnt_off00054c73.bin
b44c7c3c93b311d5ca85764c43daa1e1202e2096e290d6513860df8cf1a16f57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54C73 36489 bytes
font_08_sfnt_off0005b866.bin
ef4cda56aded75e06df93894df6b7571a4006d91660497d32dd7d9be6bcd324f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B866 12414 bytes
font_09_sfnt_off0005ecd6.bin
4ea6131e6e3d5fc3743c68b6c2403d44f4f94e16ac753c62299ae0f1cb3f1111		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5ECD6 33212 bytes
font_10_sfnt_off00065456.bin
7a9a73beb1d02e8955959875a84a8d6c8996380690ba341927a06ace8a2b4cbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65456 33814 bytes
font_11_sfnt_off0006b93d.bin
b640c4711b3e7c640ca260919d330d1d0c90d64064220824aa77300e5b62d7d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B93D 59290 bytes
font_12_sfnt_off000726f7.bin
43435374c7c90c78a83982f313eff4bb0022d032300ce5d151de385dcec4ac26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x726F7 33683 bytes
font_13_sfnt_off000c4652.bin
d0ee2a967c824d87001e0f0f37d4bab1e302f5f578d64424db5cb7ee54ad288d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC4652 22284 bytes
font_14_sfnt_off000ca009.bin
ac025a355b8408fc3b4089c4f7ccaed968d270dc1b3179d579f2fb02583dd64a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA009 84099 bytes
font_15_cff_off000d3bf1.bin
5b9c3a33519a4cf900f0fce323496810e6a434e2abedffa325e21410ea5b333b		 pdf-font-stream PDF embedded font (cff) at offset 0xD3BF1 5727 bytes
font_16_sfnt_off001498d9.bin
3c803410bd7b4cb5409c97cb2ede9c132a82ae6358f4dd704c97163204f68542		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1498D9 24658 bytes
font_17_sfnt_off001d7064.bin
d739a08afaf05be1444bd70c01d1e2a6f92c1fcf22758a8e0de581c0875d056a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D7064 50045 bytes
font_18_sfnt_off00738838.bin
7e26d589637278284f003fa203b7ea54662616edb1ed163ceac21973ffde0696		 pdf-font-stream PDF embedded font (sfnt) at offset 0x738838 60346 bytes
font_19_sfnt_off0079e231.bin
4c858201b0e6ad5c5360cb97a8cb3f9599cd0633bffe17b27f51727bba174e62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79E231 79695 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.