PDF malware analysis — malicious · c40a2bc8d6d09090

MALICIOUS

PDF

100.1 KB Created: 2017-04-21 09:55:10 +02:00 Authoring application: Writer (via LibreOffice 5.2)

MD5: aa9ba2d437b062efb7f75b23761cc70c SHA-1: d3b0bf44a29995c28446e453636732f296ef09d6 SHA-256: c40a2bc8d6d090903ab0a8f9dd12feca9a370e28f9d4f1aa27d52dedc050ee40

110 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing Attachment T1071.001 Web Protocols

The PDF contains embedded JavaScript that creates a dialog box prompting the user for Amazon email and password credentials. Upon submission, the script constructs a URL using the entered credentials and submits it to a suspicious domain, indicating a credential harvesting attempt. The ML classifier and ClamAV detection strongly support the malicious nature of this PDF, classifying it as a dropper. The embedded JavaScript is responsible for the phishing lure and exfiltration of credentials to the identified URLs.

Machine Learning

Nyx PDF Classifier malicious score 0.9949

Heuristics 5

ClamAV: Pdf.Dropper.Agent-6305061-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-6305061-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://sellercentral.amazon.de.JHINTRTVY8F9BT99709T3YGRFFRVY.tippitoppington.me/?c=
- http://sellercentral.amazon.de.8TGEG8YR8Y64GT48RGBFGR6743T45.tippitoppington.me/?c=
- http://sellercentral.amazon.co.uk.8TGEG8YR8Y64GT48RGBFGR6743T45.tippitoppington.me/?c=
- http://sellercentral.amazon.co.uk.8TGEG8YR8Y64GT48RGBFGR6743T.tippitoppington.me/?c=
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0029_000.js` `c2d4828356e137df4a0c6cb7e3005a290be9e3e6b189eb8625ffd364c4dfff5b`	pdf-javascript-stream	PDF /JS object 29 at offset 0xC1FD	1009 bytes
`javascript_obj0039_001.js` `d412158d05a2df819e1b62f5e5364bf986410543eb3055d7cfdbfb891009e729`	pdf-javascript-stream	PDF /JS object 39 at offset 0x16AC7	1001 bytes
`javascript_obj0040_002.js` `99558dcf2023e448500675fae74146d15d856f41fa3801d4a540215b99e27acc`	pdf-javascript-stream	PDF /JS object 40 at offset 0x17C5F	1004 bytes
`javascript_obj0041_003.js` `eb4c183d9fbaeba38ceb4b603316bb54a7a509b1517381f61c194d9fa2ad01a0`	pdf-javascript-stream	PDF /JS object 41 at offset 0x18D31	1002 bytes
`font_00_sfnt_off00006cf1.bin` `3410eb31f3f8bffef60dbba2be625da0fa1dea4652e1e933cff579d0b2fb6e87`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6CF1	56356 bytes
`font_01_sfnt_off00011947.bin` `7ab517d1c2b4314b2ccd82545283993637b065dbe236f3ca12b928b88ee4c17a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11947	55354 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.