Malicious PDF — malware analysis report

Static analysis result for SHA-256 43a719a686f3edf6…

MALICIOUS

PDF

171.6 KB Created: 2016-12-26 20:45:11 +08:00
MD5: 7988e9e53148f7101e5f47bb2de55093 SHA-1: c920fcaace58dfd37585b47fb3621099d2294d53 SHA-256: 43a719a686f3edf6c8e0f51d15e5492bdd1f2917fc5bea897a55fabcd0bcf95b
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains multiple embedded URLs, indicating a likely attempt to redirect the user to malicious content. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests that the document may contain instructions for executing commands using Windows scripting tools, further supporting a malicious intent. The presence of a secondary embedded PDF with suspicious findings reinforces the malicious nature of the document.

Heuristics 4

  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xkatxat_zzx_YGv16204086weQ.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/rieh16204212f.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/QdJzfzoux16204704aros.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/nrQnfcfwQaco_fdtxvaulYvixcPsm16204594Qxu.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ftPmhldvibxszmmmcsPrhQmtxl16203858o.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/vYatceawJnadvcumcfsikobivkrah16203827ufox.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Jnx16204562ad.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/cYuJmYvxksfePlszt_QG16204667o.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/endsYmzvbhobcJbYQenPhad16204519Px.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/niY_cdzJumvrss16203903r.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/QwhQmYvJczmxJnziYQuwi16204758xow.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/hsffQzmencveGevh16236647lP.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/hwoueQaahwG16204608Jr.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/sPQeohPzeabcsQYfbznQfG_YkvflJw16203896u.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/eocciPnrPfns_cwYhlmPskh16204189v_fr.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/o_th16203833w.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/uJYhzharcQmiY_owY16203868b.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/QbalmrnwJ_udoPeinPmrhocwnw_16236438l.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/akbYa16236423Gk.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/lJlmftxQwmYokcJfmloGY16236435GtJ.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/bvnrYzexrQilxaPhbmYzbdxlwfu16204558PixQ.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Qowdvzuxcbn16236582l.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ahiclifnkfathothfw16236530uzio.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/vQGQJzkrimQwtGcexiGho16204491vli.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xfeQckcbxh_vvQQeocQxJnGhox16203817mx.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ffozYmfvwavisnbmmePsGzm16204000rxl.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/wowfQmhQata16203960von.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/b_QceJdsvv16203886mhc.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/biJsbfnPd_nsPule_YfPc16236384ovJf.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/tvcYih16236493vJ.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/embvczzGQes16203925xcmh.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/whJGt_afPQdahQsmJhonP16204658dxcu.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/_tbwlrcGPotPPJmzQsJJwbmd16203951YzGz.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/JdbhaQuwm16236609ta.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/kYivraulso16203934w.pdf
    • http://kominki24.pl/bteb_vnlJ15024741dik.pdf
    • http://www.abualhaj.ae/departmentdifferent/_vimY15694398dbGJ.pdf
    • http://underbrushclearing.com/wc-logs/v_muukv_dcovPscblbhbmQPGt10752188eGt.pdf
    • http://toledano.fr/images/nvzr15972345tb.pdf
    • http://healthlink.org.au/effortage/inbhzows_vJQt15593722ce.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/sPJJehkrrkJkQw16204683h.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fvu16204187b.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/bJvhkGQbbznGsdekskYQhGlG16236539hJJQ.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xzn16204093cu.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/vkYbushYbhiwQh16204188l.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/zcknemhiQlrJbrwJrohrsakhdzoPvd16204770k.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Jvahbc16236569QoGl.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/_xaJiYfuixzwmitesxtJwY16204196zmG.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/aroouGetullYviGuGJsxPodxbvuzva16203979kudo.pdf
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/bQunuvcxGPenPdkJsehYs_Q16204147ol.pdf
    +68 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000ba07.bin
332f85abf5621a694e8344cefda5eadc5c6476e1cce7c8a78fe56a445f30206e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBA07 19980 bytes
stream_015_off0002092b.bin
3d1c5b905549572cd1e0b8dc37c011a51dc65394fa8ac21f34d4a7fd85c7499c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2092B 19964 bytes
font_01_sfnt_off0000efd6.bin
5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFD6 19964 bytes
font_02_sfnt_off0001259c.bin
66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1259C 20828 bytes
polyglot_child_pdf_off0001613f.pdf
ca08d21126f6b1162559c72d7aa4eaa7e873e8c53033a342d9591ff5a6a5fe46		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1613F 85253 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.