Malicious PDF — malware analysis report

Static analysis result for SHA-256 30edabd279f107b6…

MALICIOUS

PDF

166.2 KB Created: 2016-12-26 22:39:13 +08:00 First seen: 2018-10-09
MD5: 2cc2fbe5eb1e51ebef150f640f862f7a SHA-1: 59cf559c7e859b0d2104b4232148969308160c4a SHA-256: 30edabd279f107b647c297ac865fd1d0dadc8c6251e646b758657ca677f16ae1
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains multiple embedded URLs pointing to a domain that appears to be hosting malicious content. One heuristic specifically flags an external URI within the PDF, suggesting a delivery mechanism for further payloads. The presence of a polyglot child PDF also indicates a layered attack. No scripts were extracted, limiting the ability to determine specific execution behavior.

Machine Learning

  • Nyx PDF Classifier clean score 0.0568

Heuristics 4

  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dubaipropertyrentals.net/idealow/causemusic.php/nY__sklP_kJrszJs16215619rvo.pdf In PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/PkmwrvJdkvzfxwtxisskerPQvrb16243883fJns.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/_nakJuGozckdGrGehrlhfid16215860Ju.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/ilsvuaG16215894dedu.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/u_kuvYGa16215521ti.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/aueundkG16216128rG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/mnofYocohsbYooQoorJ_fnJGf16215487b.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/lQvoP_urQePdtemnzidarrsnrPe16243845u.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/ddauJehxtoexz16243770iJd.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/ndQuobshdvrnJJ_rs16243752cm.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/wzb16215682hfin.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/ui_mGnordmurn_wntesQifbeJ_GPl16215423fsf.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/Yofv_eYx_uxfhQnarniQvotbmiJrwY16243793t.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/oeunascQQsexvGbmmmQ_oukePwxo16216137Jxxt.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/ikhnedxrebnzJflitivmG_16216133wmc.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/ePmhh_wdna_xurGsebauQwzm16215346w.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/wt_QzckPwrnGanJl16216143Gxor.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/cwcJvltJYird_rezls16243820zldG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/idkumvhrrswYt_vna16215366lPe.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/PsuiihcrkYJQwYhe16215906sJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/dcavJPdtbbmxettQn16215294k.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/Je_PwGbGsP_sPizhifbdzct16215197QJbt.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/sueuloaPtee16215669esze.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/shmGl__elwrxivcooh16243789iQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/uanmtwakfm_hQonPGr16243708b.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/cJeQeaYa16215838amda.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/GmkvrlQPd_wYmznfkv16243732vah.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/dihfJadGYzmrm16243782wac.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/lhkciemcQxhlifo_Gr16215234o.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/ttzvmQGQPmtQPQJaxfQvcYcuYtc_a16215839i.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/P_cJsJ_csvPvGmxhelvhnYYs16215206s.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/oQvbYnGzezbrmoYmwPioieJe16215938z.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/Yfh16215381w.pdfIn PDF document text
    • http://www.toledano.fr/logs/mkxaicuidPhfziuP_15871374Y.pdfIn PDF document text
    • http://www.toledano.fr/images/keutsf_zzYuJvcGYQGear15872290ol.pdfIn PDF document text
    • http://www.toledano.fr/logs/mYJuPGdb15934738cGh.pdfIn PDF document text
    • http://www.toledano.fr/logs/xzPazteJYaPu_lhbY15902197nwGw.pdfIn PDF document text
    • http://www.technicalanalysisdaily.com/imap/JkY_zwsitdv_aGedm_lzhQmsxl14541160zx.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/wminxhzrtkuntlfQvJfvYf16215357Gahd.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/YGikwvbhacfbfdPi16215411lY.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/sccvevczJrlbrnnGQfPc_uusurte16215925e.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/lGabQva16215455x.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/tdmtxYvPfauJuGbPf16243874zx.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/cJPi_svtzYvJofJ16243868vk.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/eo_znm16215201J.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/hYkcbtGeiedtowbeidzumzuorJcvQs16243616kJYl.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/umYdaQzGankocovrxncfn16243777ms.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/Pabinlmz16215579mQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/zsznGJnQtPlunbnrbsPttou16215265ve.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/lxlxGeoQxouwrcsQievGuP16243694mvi.pdfIn PDF document text
    +68 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000c1d7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC1D7 20108 bytes
SHA-256: ebce71fbb0ca4a7f18b8c7dd0da031d05bb605124eb78e006aab615192b0f208
stream_015_off0001f445.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1F445 19900 bytes
SHA-256: 13464fe37726f5d64ae356c2892757608a65efa366664e6a0be4cd80f1683001
font_01_sfnt_off0000f805.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF805 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off00012dcb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12DCB 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1
polyglot_child_pdf_off00016976.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x16976 77685 bytes
SHA-256: e7767bf6d09bb98b7c1e8696250dacc486d8b5af9e0a3d321680456950461b3a