Malicious PDF — malware analysis report

Static analysis result for SHA-256 b84e351a2bee6a93…

MALICIOUS

PDF

72.8 KB Created: 2010-05-29 04:10:48 +00:00 Authoring application: ReportLab http://www.reportlab.com
MD5: f724177712b1f558b0d60bc715c597e0 SHA-1: b8aff29c9b04935ba315c3a25b835b6c2048ce35 SHA-256: b84e351a2bee6a9310dfcf31c8734d4b1678017a99a346825ccfbea9694e58ee
124 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

This PDF document contains multiple links, with one specifically identified as a direct payload link to 'http://en.wikipedia.org/w/index.php?title=24x7payments.com'. The document body and other extracted URLs relate to payment services, suggesting a financial scam or phishing attempt. The presence of embedded files and the use of ASCII85Decode filters are common techniques in malicious PDF delivery. The ML classifier also flagged this document as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7386

Heuristics 7

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.reportlab.com
    • http://en.wikipedia.org/w/index.php?title=Payment_service_provider
    • http://en.wikipedia.org/w/index.php?title=24x7payments.com
    • http://en.wikipedia.org/w/index.php?title=AlertPay
    • http://en.wikipedia.org/w/index.php?title=Barclaycard_ePDQ
    • http://en.wikipedia.org/w/index.php?title=Beenz
    • http://en.wikipedia.org/w/index.php?title=Bucks_Net
    • http://en.wikipedia.org/w/index.php?title=CyberBucks
    • http://en.wikipedia.org/w/index.php?title=DigiCash
    • http://en.wikipedia.org/w/index.php?title=CyberCoin
    • http://en.wikipedia.org/w/index.php?title=Datacash
    • http://en.wikipedia.org/w/index.php?title=ECash
    • http://en.wikipedia.org/w/index.php?title=Elavon
    • http://en.wikipedia.org/w/index.php?title=FasterPay
    • http://en.wikipedia.org/w/index.php?title=Firstgate
    • http://en.wikipedia.org/w/index.php?title=Flooz
    • http://en.wikipedia.org/w/index.php?title=Heidelpay
    • http://en.wikipedia.org/w/index.php?title=HSBC
    • http://en.wikipedia.org/w/index.php?title=IKobo
    • http://en.wikipedia.org/w/index.php?title=IKP
    • http://en.wikipedia.org/w/index.php?title=LibertyReserve
    • http://en.wikipedia.org/w/index.php?title=MagicMoney
    • http://en.wikipedia.org/w/index.php?title=Microeuro
    • http://en.wikipedia.org/w/index.php?title=MicroMint
    • http://en.wikipedia.org/w/index.php?title=Micromoney
    • http://en.wikipedia.org/w/index.php?title=MilliCent
    • http://en.wikipedia.org/w/index.php?title=Mondex
    • http://en.wikipedia.org/w/index.php?title=Moneybookers
    • http://en.wikipedia.org/w/index.php?title=MPAY24
    • http://en.wikipedia.org/w/index.php?title=NetCash
    • http://en.wikipedia.org/w/index.php?title=Ouroboros
    • http://en.wikipedia.org/w/index.php?title=Pago
    • http://en.wikipedia.org/w/index.php?title=PayMe
    • http://en.wikipedia.org/w/index.php?title=PayPal
    • http://en.wikipedia.org/w/index.php?title=PayPay
    • http://en.wikipedia.org/w/index.php?title=PayPoint.net
    • http://en.wikipedia.org/w/index.php?title=PaySafeCard
    • http://en.wikipedia.org/w/index.php?title=PayYourRent.com
    • http://en.wikipedia.org/w/index.php?title=PayXpert
    • http://en.wikipedia.org/w/index.php?title=PayWord
    • http://en.wikipedia.org/w/index.php?title=PeerTransfer
    • http://en.wikipedia.org/w/index.php?title=Peppercoin
    • http://en.wikipedia.org/w/index.php?title=Qunits.net
    • http://en.wikipedia.org/w/index.php?title=RBS_WorldPay
    • http://en.wikipedia.org/w/index.php?title=Realex
    • http://en.wikipedia.org/w/index.php?title=RentPayment
    • http://en.wikipedia.org/w/index.php?title=Sage_Pay
    • http://en.wikipedia.org/w/index.php?title=Safecharge
    • http://en.wikipedia.org/w/index.php?title=Secure_Trading
    • http://en.wikipedia.org/w/index.php?title=SIX_Card_Solutions_GmbH
    +10 more URL(s)

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0090.bin
541e9b9cd590315be88a6e153a708f8a4de8115fcbe922dca06197b251dd3efd		 pdf-embedded-file PDF EmbeddedFile object 90 at offset 0xE204 31826 bytes
embedded_file_obj0088.bin
d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777		 pdf-embedded-file PDF EmbeddedFile object 88 at offset 0x11650 84 bytes
embedded_file_obj0089.bin
24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0		 pdf-embedded-file PDF EmbeddedFile object 89 at offset 0x11702 228 bytes
embedded_file_obj0091.bin
c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460		 pdf-embedded-file PDF EmbeddedFile object 91 at offset 0x117F3 199 bytes
embedded_file_obj0092.bin
846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7		 pdf-embedded-file PDF EmbeddedFile object 92 at offset 0x118E4 119 bytes
embedded_file_obj0093.bin
e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876		 pdf-embedded-file PDF EmbeddedFile object 93 at offset 0x1199C 77 bytes
embedded_file_obj0094.bin
92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a		 pdf-embedded-file PDF EmbeddedFile object 94 at offset 0x11A43 56 bytes
stream_001_off000047d7.bin
dd61f9b7e9810726b48da8ef71fccdf9703f17e2db2b306fbf30e6ddffb21e06		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x47D7 14096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.