Malicious PDF — malware analysis report

Static analysis result for SHA-256 71d370170174b110…

MALICIOUS

PDF

710.0 KB Created: 2010-01-04 21:41:27 Authoring application: Microsoft® Office Word 2007 First seen: 2021-08-20
MD5: 195db9f15d582e43870d4cfc3500b166 SHA-1: 6917832d246b3fbd754fdf8c5ac72cbdc5d2a97a SHA-256: 71d370170174b110075f536796fccec636ff45e4307ed35749a753e9900c7134
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a direct link to an executable file hosted on godr.altervista.org, indicating an attempt to deliver a payload. The presence of a link to VUPEN advisories suggests the document may be exploiting a known vulnerability. The document body is heavily obfuscated and does not provide clear textual clues, but the heuristic firings strongly suggest a malicious download attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.vupen.com/english/advisories/2009/3657 PDF link annotation
    • http://www.google.co.in/url?sa=t&source=web&ct=res&cd=1&ved=0CAcQFjAA&url=http%3A%2F%2Fwww.metasploit.com%2Fredmine%2Fattachments%2Fdownload%2F95&rct=j&q=advisory+to+exploit+metasploit+paper&ei=K7JDS63WMIve7AP3nuDfBQ&usg=AFQjCNF-2Y1r_5W74X_nV0f3wXVatibmzQ&sig2=vX83qGYM7C_JMpOLVusf0gIn PDF document text
    • http://www.ngssoftware.com/papers/In PDF document text
    • http://www.uninformed.org/In PDF document text
    • http://www.corelan.be:8800/index.php/category/security/exploits/In PDF document text
    • https://www.securinfos.info/english/security-papers-hacking-whitepapers.phpIn PDF document text
    • https://www.securinfos.info/english/security-papers-hacking-In PDF document text
    • http://ocsp.verisign.com0In PDF document text
    • http://www.monotype.comHowardIn PDF document text
    • http://www.exploit-db.com/exploits/10973In PDF document text
    • http://www.vimeo.com/doublezer0/videosIn PDF document text
    • http://godr.altervista.org/index.php?mod=none_Fdplus&fdaction=download&url=sections/Download/useful_tools/findjmp2.zipIn PDF document text
    • http://www.metasploit.com/redmine/attachments/download/95In PDF document text
    • http://www.intel.com/products/processor/manuals/In PDF document text
    • http://www.offensive-security.com/metasploit-unleashed/In PDF document text
    • http://www.exploit-db.com/papersIn PDF document text
    • http://godr.altervista.org/index.php?mod=none_Fdplus&fdaction=downloadIn PDF document text
    • http://www.microsoft.com/truetype/fonts/wingdings/http://www.microsoft.com/truetype/designers/bandh/In PDF document text
    • https://www.verisign.com/repository/CPS��In PDF document text
    • https://www.verisign.comIn PDF document text
    • https://www.verisign.com/repository/verisignlogo.gif0��In PDF document text
    • https://www.verisign.com/CPS0bIn PDF document text
    • http://www.microsoft.com/typographyIn PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://www.typography.netYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.verisign.com/ThawteTimestampingCA.crl0In PDF document text
    • http://crl.verisign.com/tss-ca.crl0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn PDF document text
    • http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxhttp://www.typography.netYouIn PDF document text
    • https://www.verisign.com/rpaIn PDF document text
    • http://ocsp.verisign.com/ocsp/status0In PDF document text
    • https://www.verisign.com/rpa0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://www.fonts.comYouIn PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0NIn PDF document text
    • http://www.microsoft.com/pki/certs/CodeSignPCA.crt0In PDF document text
    • https://www.verisign.com/repository/RPA0In PDF document text
    • https://www.verisign.com/repository/verisignlogo.gif0�In PDF document text
    • https://www.verisign.com/CPSIn PDF document text
    • https://www.verisign.com/repository/CPSIn PDF document text
    • http://www.microsoft.com/truetype/0In PDF document text
    • http://www.monotype.com/html/mtname/ms_couriernew.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_029_off000a27bc.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA27BC 24740 bytes
SHA-256: d3018a8b7620992c996414bf6da5988b9cc742d94bcbff0559d5b2c2f09f1616
font_00_sfnt_off00054da9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x54DA9 62568 bytes
SHA-256: ffdad8a5b3c9c29f1ed6dc29cef2963e08d844c91165f712a8073969420de8b9
font_01_sfnt_off0005b8e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5B8E0 78568 bytes
SHA-256: 43c558f9ce3c7f679b655e8de1c4a8decb79b87419c8464e97c29857329fa292
font_02_sfnt_off00064667.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x64667 65668 bytes
SHA-256: c1064561947ddfc22d6f464dc1ec81b20a30de6e461a19cd3f065f0d0f071a01
font_03_sfnt_off0006b200.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6B200 77484 bytes
SHA-256: 405bf6fca6bd3c09e0da979fcc57dad5a6316b8f6b8b09d958ae1db9c1cb9dcd
font_04_sfnt_off0007410d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7410D 68752 bytes
SHA-256: bb8c86598a44e20aa0846dddafa695d83755d23e5aacf58fe0d091f580d76bef
font_05_sfnt_off0007a796.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7A796 72188 bytes
SHA-256: eba42f188d0ef74380a0f06c5d0fac76693490d4c249e9aa7cbaf1240c4093f5
font_06_sfnt_off0008360c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8360C 110564 bytes
SHA-256: 2b58b1e15e05056620cbba75497d691f0edb25a9d857940ec32bd5dd185862dc
font_07_sfnt_off0008f4dd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8F4DD 28660 bytes
SHA-256: 3bef0f47b926dbc9046a0452a9939ab06281ac899d55fc9e6164af5f21330146
font_08_sfnt_off00092ce8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x92CE8 29300 bytes
SHA-256: 1eaf3518a71c96c5285bedf8dea5ecd8b57d0b0991352fdb3bf22a25b7979154
font_09_sfnt_off000968f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x968F1 23892 bytes
SHA-256: 0eaea83479556710da8a6701b023de0287a70f27c4c13463f266f1e405696c27
font_10_sfnt_off00099af5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x99AF5 44596 bytes
SHA-256: 95099620a13e3987af14b85dd09a182063ef57afead1ee3395c3649e67b34bb5
font_11_sfnt_off0009d0db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9D0DB 62588 bytes
SHA-256: ec9594fb7bde3165d93541b2d38466360a2034ee1c82b1aae7bf61b4f974416d
font_13_sfnt_off000a5289.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA5289 60700 bytes
SHA-256: 6ab5976b70f5c9db414383d9c7193239d38e69b0d4362aecd84835f0f0194604
font_14_sfnt_off000ad983.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAD983 40672 bytes
SHA-256: de8b3162383ca7810d2f0db651aac29a24ec808aae8302f38cb48ef58bd971d0