Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c155f3a8653bc74…

MALICIOUS

PDF

60.6 KB Created: 2018-06-14 10:34:25 Authoring application: Qt 5.5.1
MD5: 6052d19ce60432f831dd4b5e9b419625 SHA-1: 755770a2567d2ae541e3b50289360b309d76568e SHA-256: 3c155f3a8653bc74d1bffe3b3b9104c2efc87f3b29111646bf12cb9289a295b3
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple heuristics indicating a malicious intent, specifically the use of repeated and invisible links to deliver a payload. One of the embedded URLs, http://markpteraschok.wiki-data.ru/d?keyword=gustav+becker+clocks+dating&charset=utf-8&source=weebly.com, is directly associated with this payload delivery lure. While another URL, http://bit.ly/FastDating18, was flagged as benign, the presence of the other malicious indicators warrants a high-risk assessment.

Heuristics 3

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://markpteraschok.wiki-data.ru/d?keyword=gustav+becker+clocks+dating&charset=utf-8&source=weebly.com
    • http://bit.ly/FastDating18

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bbd1.bin
1e4cb732997b48807b93894b0e7db75c2201daae31538e72bf9d460d91a609a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBD1 2824 bytes
font_01_sfnt_off0000c574.bin
551496e397483dbeb5ab2f7987c36ce6b56a22b180391dca7bfb487ecd231dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC574 19356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.