MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The PDF contains a direct link to an executable file hosted on godr.altervista.org, indicating an attempt to deliver a payload. The presence of a link to VUPEN advisories suggests the document may be exploiting a known vulnerability. The document body is heavily obfuscated and does not provide clear textual clues, but the heuristic firings strongly suggest a malicious download attempt.
Machine Learning
- Nyx PDF Classifier clean score 0.0002
Heuristics 3
-
PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINKPDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.vupen.com/english/advisories/2009/3657 PDF link annotation
- http://www.google.co.in/url?sa=t&source=web&ct=res&cd=1&ved=0CAcQFjAA&url=http%3A%2F%2Fwww.metasploit.com%2Fredmine%2Fattachments%2Fdownload%2F95&rct=j&q=advisory+to+exploit+metasploit+paper&ei=K7JDS63WMIve7AP3nuDfBQ&usg=AFQjCNF-2Y1r_5W74X_nV0f3wXVatibmzQ&sig2=vX83qGYM7C_JMpOLVusf0gIn PDF document text
- http://www.ngssoftware.com/papers/In PDF document text
- http://www.uninformed.org/In PDF document text
- http://www.corelan.be:8800/index.php/category/security/exploits/In PDF document text
- https://www.securinfos.info/english/security-papers-hacking-whitepapers.phpIn PDF document text
- https://www.securinfos.info/english/security-papers-hacking-In PDF document text
- http://ocsp.verisign.com0In PDF document text
- http://www.monotype.comHowardIn PDF document text
- http://www.exploit-db.com/exploits/10973In PDF document text
- http://www.vimeo.com/doublezer0/videosIn PDF document text
- http://godr.altervista.org/index.php?mod=none_Fdplus&fdaction=download&url=sections/Download/useful_tools/findjmp2.zipIn PDF document text
- http://www.metasploit.com/redmine/attachments/download/95In PDF document text
- http://www.intel.com/products/processor/manuals/In PDF document text
- http://www.offensive-security.com/metasploit-unleashed/In PDF document text
- http://www.exploit-db.com/papersIn PDF document text
- http://godr.altervista.org/index.php?mod=none_Fdplus&fdaction=downloadIn PDF document text
- http://www.microsoft.com/truetype/fonts/wingdings/http://www.microsoft.com/truetype/designers/bandh/In PDF document text
- https://www.verisign.com/repository/CPS��In PDF document text
- https://www.verisign.comIn PDF document text
- https://www.verisign.com/repository/verisignlogo.gif0��In PDF document text
- https://www.verisign.com/CPS0bIn PDF document text
- http://www.microsoft.com/typographyIn PDF document text
- http://www.microsoft.com/typography/ctfontshttp://www.typography.netYouIn PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
- http://crl.verisign.com/ThawteTimestampingCA.crl0In PDF document text
- http://crl.verisign.com/tss-ca.crl0In PDF document text
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn PDF document text
- http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxhttp://www.typography.netYouIn PDF document text
- https://www.verisign.com/rpaIn PDF document text
- http://ocsp.verisign.com/ocsp/status0In PDF document text
- https://www.verisign.com/rpa0In PDF document text
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In PDF document text
- http://www.microsoft.com/typography/ctfontshttp://www.fonts.comYouIn PDF document text
- http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0NIn PDF document text
- http://www.microsoft.com/pki/certs/CodeSignPCA.crt0In PDF document text
- https://www.verisign.com/repository/RPA0In PDF document text
- https://www.verisign.com/repository/verisignlogo.gif0�In PDF document text
- https://www.verisign.com/CPSIn PDF document text
- https://www.verisign.com/repository/CPSIn PDF document text
- http://www.microsoft.com/truetype/0In PDF document text
- http://www.monotype.com/html/mtname/ms_couriernew.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text
Extracted artifacts 15
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_029_off000a27bc.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xA27BC | 24740 bytes |
SHA-256: d3018a8b7620992c996414bf6da5988b9cc742d94bcbff0559d5b2c2f09f1616 |
|||
font_00_sfnt_off00054da9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x54DA9 | 62568 bytes |
SHA-256: ffdad8a5b3c9c29f1ed6dc29cef2963e08d844c91165f712a8073969420de8b9 |
|||
font_01_sfnt_off0005b8e0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5B8E0 | 78568 bytes |
SHA-256: 43c558f9ce3c7f679b655e8de1c4a8decb79b87419c8464e97c29857329fa292 |
|||
font_02_sfnt_off00064667.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x64667 | 65668 bytes |
SHA-256: c1064561947ddfc22d6f464dc1ec81b20a30de6e461a19cd3f065f0d0f071a01 |
|||
font_03_sfnt_off0006b200.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6B200 | 77484 bytes |
SHA-256: 405bf6fca6bd3c09e0da979fcc57dad5a6316b8f6b8b09d958ae1db9c1cb9dcd |
|||
font_04_sfnt_off0007410d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7410D | 68752 bytes |
SHA-256: bb8c86598a44e20aa0846dddafa695d83755d23e5aacf58fe0d091f580d76bef |
|||
font_05_sfnt_off0007a796.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7A796 | 72188 bytes |
SHA-256: eba42f188d0ef74380a0f06c5d0fac76693490d4c249e9aa7cbaf1240c4093f5 |
|||
font_06_sfnt_off0008360c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8360C | 110564 bytes |
SHA-256: 2b58b1e15e05056620cbba75497d691f0edb25a9d857940ec32bd5dd185862dc |
|||
font_07_sfnt_off0008f4dd.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x8F4DD | 28660 bytes |
SHA-256: 3bef0f47b926dbc9046a0452a9939ab06281ac899d55fc9e6164af5f21330146 |
|||
font_08_sfnt_off00092ce8.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x92CE8 | 29300 bytes |
SHA-256: 1eaf3518a71c96c5285bedf8dea5ecd8b57d0b0991352fdb3bf22a25b7979154 |
|||
font_09_sfnt_off000968f1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x968F1 | 23892 bytes |
SHA-256: 0eaea83479556710da8a6701b023de0287a70f27c4c13463f266f1e405696c27 |
|||
font_10_sfnt_off00099af5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x99AF5 | 44596 bytes |
SHA-256: 95099620a13e3987af14b85dd09a182063ef57afead1ee3395c3649e67b34bb5 |
|||
font_11_sfnt_off0009d0db.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9D0DB | 62588 bytes |
SHA-256: ec9594fb7bde3165d93541b2d38466360a2034ee1c82b1aae7bf61b4f974416d |
|||
font_13_sfnt_off000a5289.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA5289 | 60700 bytes |
SHA-256: 6ab5976b70f5c9db414383d9c7193239d38e69b0d4362aecd84835f0f0194604 |
|||
font_14_sfnt_off000ad983.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xAD983 | 40672 bytes |
SHA-256: de8b3162383ca7810d2f0db651aac29a24ec808aae8302f38cb48ef58bd971d0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.