Malicious PDF — malware analysis report

Static analysis result for SHA-256 823d0878b82a4aa6…

MALICIOUS

PDF

1.30 MB Created: 2013-01-15 16:26:15 +02:00 Authoring application: Microsoft® Office Word 2007
MD5: 29775b8f305fc8a84a426e59e6a01bd8 SHA-1: f06c9715ddb861af7a147d6e1f1c127a5620a9cc SHA-256: 823d0878b82a4aa66acdf2d2bd865073756c20723fd280a3a53d91a80e020b56
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic indicating it is a password-protected archive lure, suggesting the document's purpose is to deceive the user into providing credentials. An embedded URI points to a local IP address, which is suspicious and likely part of the delivery chain. No scripts were extracted from this sample, limiting further analysis of the payload delivery mechanism.

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.35:88/
    • http://www.iec.ch
    • http://www.whatismyip.com/
    • http://portforward.com/help/portforwarding.htm

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_014_off0004bcac.bin
5a6a3b6c65ded39aec20e2d16d13e95f1a6392d5923cf290eb365942d8432409		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4BCAC 2934372 bytes
stream_042_off000ee18a.bin
4ca7dc22c3a3374c0b682d58bd0d36b03a31ac5351e61d112a815c78b2742093		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEE18A 508560 bytes
stream_056_off00117c88.bin
7e8d92afac499880862e45b96c01c2471a0603ada941a23a5771e13ed449fb64		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x117C88 674984 bytes
stream_058_off00129817.bin
4d905306fa7359b95913d56a20f91de25edd6df37226c938343ad2b06f72e499		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x129817 660500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.