Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd6d61693ba7ee31…

MALICIOUS

PDF

70.6 KB Created: 2018-10-09 18:10:03 +03:00 Authoring application: Microsoft® Word for Office 365
MD5: 1832cfcbf3a190eee48239cfdc9ed62f SHA-1: 4cea4697d0a634ef205b08e7e03b39abbf070b32 SHA-256: cd6d61693ba7ee310c615d4fc1669798c81bdb1033e5d157f9012985d49df55b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1534 Use Alternate Authentication Material

The PDF document contains a lure consistent with credential harvesting, specifically impersonating a document signing service and requesting MFA confirmation. It embeds a malicious URL, http://biteonbananas.info/weds/index.php?denimsport=brut, which is likely used to host a phishing page or deliver a secondary payload. The heuristics indicate a MFA/one-time-code harvesting lure and a document signing service impersonation.

Heuristics 4

  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Document signing service impersonation lure medium SE_DOCUSIGN_LURE
    Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://biteonbananas.info/weds/index.php?denimsport=brut
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Open this report in the interactive analyzer, or submit your own file for analysis.