Malicious PDF — malware analysis report

Static analysis result for SHA-256 b25616523139bc43…

MALICIOUS

PDF

72.0 KB Created: 2018-06-19 02:28:32 Authoring application: Qt 5.5.1
MD5: f16d3f3111e1db60854038e203e697a3 SHA-1: 0ec4b8027632bd983804863da9f8bd0f55161229 SHA-256: b25616523139bc43550f7c3c70ffa9e0cd85afbc0804217510595db5220849a1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains multiple invisible links that direct the user to malicious URLs. These links are designed to trick the user into downloading a payload. The heuristics indicate that these are repeated payload links, suggesting a downloader or droppper functionality. No scripts were extracted from this sample, limiting further analysis of its behavior.

Machine Learning

  • Nyx PDF Classifier clean score 0.0052

Heuristics 2

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://leudelilke.moimirknigek.ru/?dt&keyword=%D1%80%D1%83%D1%81%D0%BA%D0%B8+%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2%D0%B5+%D0%B7%D0%B0+%D0%B7%D0%B0%D0%BF%D0%BE%D0%B7%D0%BD%D0%B0%D0%BD%D1%81%D1%82%D0%B2%D0%B0+&charset=utf-8&source=weebly.com
    • http://leudelilke.rupersik.ru/?dt&keyword=%D1%80%D1%83%D1%81%D0%BA%D0%B8+%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2%D0%B5+%D0%B7%D0%B0+%D0%B7%D0%B0%D0%BF%D0%BE%D0%B7%D0%BD%D0%B0%D0%BD%D1%81%D1%82%D0%B2%D0%B0+&charset=utf-8&source=weebly.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d639.bin
a8a2c2e3eb725a6eb2a6bd3ca14eec8d90ce909189c511f7e03671b9a14f4008		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD639 1444 bytes
font_01_sfnt_off0000ddb9.bin
c3cd81ea0fd10694832069aa2b2d04d9d4203152513701f4498afc4368f36cc1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDB9 26648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.