Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e8cca6634f66fbd…

MALICIOUS

PDF

4.47 MB Created: 2017-01-12 07:32:00 Authoring application: Microsoft® Office Word 2007
MD5: 166ac5b13ec1a7b9c5e8c0ed77154207 SHA-1: a2c4125af982f53d80c1044fc7b214058bcc9385 SHA-256: 4e8cca6634f66fbdef65f49cb10de2fc8d3d8d74838cf095a5337b7f02175900
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document exhibits characteristics of an advance-fee scam, as indicated by the 'SE_ADVANCE_FEE_SCAM_LURE' heuristic. It contains embedded URLs, one of which points to an executable payload delivery mechanism. The document's content and structure strongly suggest a phishing attempt designed to trick users into downloading malicious content by impersonating legitimate communications or offers.

Heuristics 4

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.color.org
    • http://www.ipmnhrc.lk/index.html#schedule
    • http://www.cmmsrilanka.lk/
    • http://www.nautinst.org/
    • http://www.nautinst.org/en/membership/
    • http://www.ciltsl.com/
    • http://www.portmin.gov.lk/
    • https://maritimecyprus.com/2016/06/05/infographic-the-fall-of-the-titanic/
    • http://www.ips.lk/talkingeconomics/?author=43
    • http://www.worldoceansday.org/
    • http://maritimesecurityalliance.com/about-us/
    • https://www.dropbox.com/s/wdjnd4e1dix2t82/Genting%20Dream%20Video.mp4?dl=0
    • http://us.mc1603.mail.yahoo.com/mc/compose?to=admin@ciltsl.com
    • http://www.imo.org/MediaCentre/PressBriefings/Pages/19DOTSpreview.aspx#.U6GkPfldXmd
    • http://www.imo.org/en/MediaCentre/PressBriefings/Pages/19DOTSpreview.aspx#.VYuHvxuqqkq
    • http://www.sundaytimes.lk/160605/business-times/at-least-75000-families-affected-91-missing-in-sri-lankas-worst-floods-last-month-196204.html
    • http://gcaptain.com/containership-pays-nearly-1-million-toll-to-cross-the-expanded-panama-canal/
    • https://gcaptain.com/author/john/
    • http://gcaptain.com/tag/bravery-at-sea-award/
    • https://www.youtube.com/watch?v=X6bs4oew5tM&feature=player_embedded
    • http://www.iec.ch
    • http://www.adaderana.lk/news/36008/wasp-attack-on-tourists-in-sigirya#sthash.H0jPJ7Bm.dpuf
    • https://lh3.googleusercontent.com/upXdWOnwoZ-xSSE6z2vi4i1btSfujKxingoW9bDTa7ha1hC_Z325j_dZEFOBPZym3GOHq2Jw7FlQgKPebOTpYhdfbr-kM1Ytkfn94Fn18DIGVMhZmRY)/K[
    • https://lh6.googleusercontent.com/yfVDCBtzp0oiUDyNSo8Xj6mNQ5D-7cdxzz7_qjJ9c9PXAHO7HluXK49cmeLLyEYNt9kOSiU_PIRXtUHmfFP3syOT4-8mYdKdpkMX6G_adPqg4YqQX5c)/K[
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_036_off00117e9a.bin
9095f3fba6e2c286053d5910af11b078f2420b7dbcb99cffbfe01f99b3b24102		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x117E9A 1440000 bytes
stream_060_off0036a19d.bin
ca5a3bfc5e840bc3892d2870a5dc6d813a84efbca1ed3bd616b951f519c861a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x36A19D 207368 bytes
stream_069_off003b033c.bin
b66893f809b669405f8a1cc6958550f7a20e31899f82b220b9fc06670ddca7b2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3B033C 159196 bytes
stream_071_off003bc845.bin
37f3abac2fc668b50719bfb84b9be9c5d1ee4ea85b4eb5fc1162ae83d16bca12		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3BC845 146648 bytes
stream_078_off003dcc19.bin
29f5058f7762b45fdc9fa22eb25c86476ce15ebd0efafc4170e0f5b4b494b037		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3DCC19 202944 bytes
stream_087_off0040fb44.bin
b1e5345dca3a26f4c2702df0e41f708bfc6f3b91180beeb221ac4d8b8a54de18		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x40FB44 139108 bytes
stream_089_off00422b02.bin
db386c719e753dbec001fb477cdd467cb8d52699a6b334b60d55ab71548bb805		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x422B02 94772 bytes
icc_00_off0046e34f.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x46E34F 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.