Malicious PDF — malware analysis report

Static analysis result for SHA-256 72ebe76ac6276fbc…

MALICIOUS

PDF

493.7 KB First seen: 2021-06-04
MD5: 11e17772b16e180bb9f337fc30b69b51 SHA-1: e074bee1f358f5d4f5c4f774ce7680c490425356 SHA-256: 72ebe76ac6276fbca2db0db70869afd65639264e091354e1a2b57ea9e6cdfb78
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a direct link to an executable payload disguised as an ISO file, indicating an attempt to deliver malware. The embedded URL also points to a potentially malicious domain. The presence of a direct payload link is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dombijela.me/pdf/Listingdetails/index.php PDF link annotation
    • https://cdn.discordapp.com/attachments/819498679344955405/821381318298173461/PPHU_AGROLAND_s.c..isoIn PDF document text
    • https://cdn.discordapp.com/attachments/819498679344955405/821652669399302184/Fargo_PWpdf.isoIn PDF document text
    • https://cdn.discordapp.com/attachments/819498679344955405/824189164797952030/dokument0340204pdf.isoIn PDF document text
    • https://cdn.discordapp.com/attachments/846251400047493122/846312825349210112/Alior_Bank.isoIn PDF document text
    • https://cdn.discordapp.com/attachments/846251400047493122/846622967584915456/Alior_Bankpdf.isoIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_062_off0007a218.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7A218 54405 bytes
SHA-256: 19c4502f5051004e500a53d022629ee12aa0e2f99fa6d0db64cecc9521cac8ca

Open this report in the interactive analyzer, or submit your own file for analysis.