Malicious PDF — malware analysis report

Static analysis result for SHA-256 396727f175b44f0b…

MALICIOUS

PDF

34.2 KB Created: 2020-04-05 04:06:49 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6) First seen: 2020-09-07
MD5: 8f0c45177ec190d708fa407e8716e4a8 SHA-1: 430754ac0ad83b729255ad2bd30108c03f83b817 SHA-256: 396727f175b44f0bbf63c8e0a95268c55da181ddfb37c3321ceae496b94ff6bb
76 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains embedded URLs that lead to potentially malicious content, disguised as a communication plan example. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests that the document may contain instructions for executing commands using Windows scripting tools, likely to download and execute a second-stage payload from one of the provided URLs. The document body itself is heavily obfuscated, but the presence of URLs and the LOLBIN execution heuristic strongly indicate a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://curlroanoke.org/uploads/1/3/1/4/131406181/131406181.html#plan+de+comunicacion+de+empresa+ejemplo PDF link annotation
    • http://aerialprotectivesolutions.com/uploads/1/3/1/4/131437605/f25329.pdfIn PDF document text
    • http://peddlerscache.com/uploads/1/3/0/5/130588695/tovemilokejubojip.pdfIn PDF document text
    • http://africanubuntu.com/uploads/1/3/0/4/130436207/fokemoxexak_nonot_sukevo_munove.pdfIn PDF document text
    • http://packethunters.com/uploads/1/3/0/5/130551639/tomuji.pdfIn PDF document text
    • http://cedarlakeanimalhospital.com/uploads/1/3/0/6/130621533/5912123.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ca7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5CA7 8260 bytes
SHA-256: 89843e1ea785b2340baa4735c97a9de54555e7b5fa30ff869be6b6aa05c9a52a

Open this report in the interactive analyzer, or submit your own file for analysis.