Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0236285ad26ab54…

MALICIOUS

PDF

167.4 KB
MD5: fbf935ea83943bd2b553905c1ff0de0f SHA-1: 7819fb5f0fbb9134be810aacc480c989233a5a2d SHA-256: d0236285ad26ab54d2737c501ae7a2862c2026fa463ecf40ead91325232b955e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The PDF file contains a hidden HTML iframe, which is a common technique for redirecting users to malicious websites. The JBIG2Decode filter is also present, which can sometimes be used for obfuscation or to embed malicious content. One embedded URL, http://www.ereading.cz/mamu.htm, has an unknown reputation and is likely the target of the iframe.

Machine Learning

  • Nyx PDF Classifier clean score 0.0010

Heuristics 3

  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ereading.cz/mamu.htm
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_028_off0001e65d.bin
5ef2d0221de6b5269d44fa56086d4caa8b9be81799395882cb1e0da3187689a5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E65D 19582 bytes
jbig2_00_off0000f115.bin
61dc65ade8ca79594e9ca14104313c6437549703002d8b53079781adc2b3d8de		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xF115 843 bytes
jbig2_01_off00011b8d.bin
691f08c2b3d50571d42b10f81924bb58ac3a3190f594d0fa43e4f5f697ca213c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x11B8D 200 bytes
font_00_cff_off0000e675.bin
0311bfd4730627b94a35d6610fba1f9b1383c81f650c6ab6dcd1826568a566a1		 pdf-font-stream PDF embedded font (cff) at offset 0xE675 2493 bytes
font_01_cff_off00010cb6.bin
61696521e179ad5f8d932a05721ba1dd8070c4f702383e36cac020eb95039c05		 pdf-font-stream PDF embedded font (cff) at offset 0x10CB6 4059 bytes
font_02_cff_off00019f8e.bin
2082a1b71c41f87e6d381737291860d412c29b031d252c1dcbce5cf2ae38d336		 pdf-font-stream PDF embedded font (cff) at offset 0x19F8E 1093 bytes
font_03_cff_off0001a605.bin
a23dbd1ff35eb56344bebabaf48714b292f1a6fe1ed2bf6fd242460e88a1cb3f		 pdf-font-stream PDF embedded font (cff) at offset 0x1A605 20927 bytes
font_05_cff_off00022892.bin
7ee8cf5d1f3fb6e841b93a81f93e33e8176286cd5143a6ff55c88f74d2b1f42d		 pdf-font-stream PDF embedded font (cff) at offset 0x22892 7163 bytes
font_06_cff_off00023e24.bin
dd2784222ca1edc2f185bee0d7c9c6275e0e794fe6f2d6882193c060003a624c		 pdf-font-stream PDF embedded font (cff) at offset 0x23E24 19254 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.