Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fb0d496eab69a98…

MALICIOUS

PDF

323.1 KB Created: 2012-08-09 14:07:23 +02:00 Authoring application: Microsoft® Word 2010
MD5: 2af6526bd656fb39c31ba1ffd86a4337 SHA-1: f7da3de9e1632b961ec7567615bdbc1df78a256d SHA-256: 6fb0d496eab69a9818a53c4b9d8d8118cd1fb44c58c6657a7636fe0e8c47c578
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains an embedded link that directly points to an executable payload disguised as an ISO file. This heuristic indicates a clear attempt to trick the user into downloading and running malware. The presence of multiple download URLs further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0014

Heuristics 2

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://download.tripy.be/iso/tripyv2.1.iso
    • http://chilp.it/f91bb6
    • http://www.tripy.eu/fr/tripy-2-gps-road-book-moto-route/produits/accessoires
    • http://download.tripy.be/roadtracer/setuptripy_2_1_1_435.exe
    • http://community.tripy.eu/download/update/tripyupdate.exe
    • http://www.daemon-tools.cc/fra/products/dtLite
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYou
    • http://www.microsoft.com/typography/fonts/default.aspx
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
    • http://www.microsoft.com/pki/certs/CSPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0H
    • http://www.microsoft.com/pki/certs/tspca.crt0
    • http://www.microsoft.com/typography

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0001c9f6.bin
530b2c38c0fcc58786a4cdf7128a9a8a7c5842ac792278ea9a661ec9a6a8f3df		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C9F6 199656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.