Malicious PDF — malware analysis report

Static analysis result for SHA-256 b763d1c3661065fb…

MALICIOUS

PDF

8.52 MB
MD5: bd46c211087dfbcdbe35a232fee152dd SHA-1: b99e76d699a08b8c8e214d2dab7a8e66bffbda2a SHA-256: b763d1c3661065fb50634e9add77a2d566e8fb5e365612ad29dc6ed38f5811ba
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains multiple invisible and repeated links designed to lure the user into downloading a payload. One of the critical heuristics identified a PDF_REPEATED_PAYLOAD_LINK_LURE, pointing to a ZIP archive. The presence of external URIs and the nature of the lure suggest a phishing or malware delivery attempt. No scripts were extracted, limiting the ability to determine the exact payload or persistence mechanisms.

Machine Learning

  • Nyx PDF Classifier clean score 0.1794

Heuristics 3

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://prismstandard.org/namespaces/basic/2.0/
    • http://people.stfx.ca/bliengme
    • http://en.smath.info/
    • http://smath.info/wiki/SMath%20with%20Plugins.ashx
    • http://smath.info/cloud/
    • http://en.smath.info
    • http://smath.info/wiki/Graphs.ashx
    • http://en.smath.info/forum/default.aspx?g=posts&m=3663
    • http://www.maths.dit.ie/~dmackey/lectures/Roots.pdf
    • http://nm.MathForCollege.com
    • http://www.lajpe.org/sep13/04-LAJPE-782_Chudinov.pdf
    • http://wps.aw.com/wps/media/objects/877/898586/topics/topic01.pdf
    • http://www.intmath.com/integration/6-simpsons-rule.php
    • http://smath.info/wiki/Viewer.ashx
    • http://en.smath.info/forum/yaf_postst1781_SMath-Viewer---simple-sample.aspx#post9284
    • http://en.smath.info/forum/default.aspx?g=posts&m=9315#post9315
    • http://calibre-ebook.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xmp/Identifier/qual/1.0/
    • http://ns.adobe.com/pdfx/1.3/
    • http://calibre-ebook.com/xmp-namespace
    • http://calibre-ebook.com/xmp-namespace-custom-columns
    • http://calibre-ebook.com/xmp-namespace-series-index
    • http://ej.iop.org/images/books/978-1-6270-5925-1/live/978-1-6270-5925-1suppdata.zip
    • http://www.wolframalpha.com
    • http://www.wlu.ca/documents/53145/NotesCh3.pdf
    • http://en.wikipedia.org/wiki/Linear_regression
    • http://math.stackexchange.com/questions/528856/explanation-and-proof-of-the-fourth-order-runge-kutta-method?rq=1
    • http://1drv.ms/11uZ6QE

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off00821aaf.bin
088fbd00233a8b27e5706ab78b8c9273788b6f8cb83126c1c5b84950fdce8333		 pdf-font-stream PDF embedded font (cff) at offset 0x821AAF 32017 bytes
font_01_cff_off008270c7.bin
0a2faa6dbd72573c3ae40140d449c03e0b5c87925f76aef5b46a60935a3486e1		 pdf-font-stream PDF embedded font (cff) at offset 0x8270C7 32546 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.