Malicious PDF — malware analysis report

Static analysis result for SHA-256 d19fb02b86602dfe…

MALICIOUS

PDF

42.1 KB Created: 2018-11-26 20:10:18 +03:00 Authoring application: - (via GNU Ghostscript 6.53)
MD5: 571d36c5a04574001f7b47b2d63a1c3c SHA-1: 01e88ad58c344367b825ff7e8ab13e94b5e9ae43 SHA-256: d19fb02b86602dfe09e6ed9b9bc8c75fe2a5235acb7d2525062003696b7cb807
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains an embedded script payload, indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. This script is likely designed to download and execute further malicious content. The embedded URL, http://www.gorillawalker.com/mcdougal-littell-middle-school-math-course-2-chapter-audio-summaries.pdf, is a strong indicator of the delivery mechanism. The presence of an embedded script and external URI points towards a malicious document designed for payload delivery.

Heuristics 4

  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gorillawalker.com/mcdougal-littell-middle-school-math-course-2-chapter-audio-summaries.pdf
    • http://www.gorillawalker.com/my-lady-viper-tales-from-the-tudor-court-book-1.pdf
    • http://www.gorillawalker.com/moral-matters-a-philosophy-of-homecoming.pdf
    • http://www.gorillawalker.com/keeker-and-the-springtime-surprise-book-4-in-the-sneaky.pdf
    • http://www.gorillawalker.com/english-simplified-12th-edition.pdf
    • http://www.gorillawalker.com/sweeney-todd.pdf
    • http://www.gorillawalker.com/forms-of-speech-in-victorian-fiction.pdf
    • http://www.gorillawalker.com/the-flight-of-henrietta.pdf
    • http://www.gorillawalker.com/diamond-willow.pdf
    • http://www.gorillawalker.com/the-fish-immune-system-volume-15-organism-pathogen-and-environment.pdf
    • http://www.gorillawalker.com/oman-the-petrochemicals-sector-an-article-from-aps-review-downstream.pdf
    • http://www.gorillawalker.com/bacterial-sensing-and-signaling-contributions-to-microbiology.pdf
    • http://www.gorillawalker.com/bentley-motors-1945-1964-classic-marques.pdf
    • http://www.gorillawalker.com/enteric-nervous-system-the-brain-in-the-gut-integrated-systems.pdf
    • http://www.gorillawalker.com/playing-the-nation-game-the-ambiguities-of-nationalism-in-india.pdf
    • http://www.gorillawalker.com/the-china-well-being-minsheng-development-report-2012.pdf
    • http://www.gorillawalker.com/white-line-fever-the-autobiography.pdf
    • http://www.gorillawalker.com/michelin-map-poland-720-maps-country-michelin.pdf
    • http://www.gorillawalker.com/automotive-bodywork-the-secrets-to-filling-automotive-bodywork-rust-repair.pdf
    • http://www.gorillawalker.com/glacial-sedimentary-environments-sepm-short-course-notes-no-16.pdf
    • http://www.gorillawalker.com/tennis-strokes-and-tactics-improve-your-game.pdf
    • http://www.gorillawalker.com/highland-pipe-music.pdf
    • http://www.gorillawalker.com/the-pearl-rare-victorian-erotica-volumes-8-9-10.pdf
    • http://www.gorillawalker.com/soiled.pdf
    • http://www.gorillawalker.com/the-book-of-the-archers.pdf
    • http://www.gorillawalker.com/the-great-crash-of-2008.pdf
    • http://www.gorillawalker.com/bisk-cpa-review-financial-accounting-reporting-40th-edition-2011-comprehensive.pdf
    • http://www.gorillawalker.com/pussycat-pussycat-where-have-you-been.pdf
    • http://www.gorillawalker.com/lose-weight-with-paleo-cookbook-an-easy-30-day-meal.pdf
    • http://www.gorillawalker.com/philosophy-and-exegesis-in-simplicius-the-methodology-of-a-commentator.pdf
    • http://www.gorillawalker.com/sand-hill.pdf
    • http://www.gorillawalker.com/ketogenic-pressure-cooker-recipes-scrumptious-fat-burning-recipes-to-help.pdf
    • http://www.gorillawalker.com/feeling-fat-fuzzy-or-frazzled-a-3-step-program-to.pdf
    • http://www.gorillawalker.com/clinical-ophthalmology-companion.pdf
    • http://www.gorillawalker.com/escape-on-the-pearl-the-heroic-bid-for-freedom-on.pdf
    • http://www.gorillawalker.com/pocahontas-lives-and-times.pdf
    • http://www.gorillawalker.com/dank-2-0-the-quest-for-the-very-best-marijuana.pdf
    • http://www.gorillawalker.com/through-artists-eyes.pdf
    • http://www.gorillawalker.com/iso-7263-1994-corrugating-medium-determination-of-the-flat-crush.pdf
    • http://www.gorillawalker.com/eric-carle-s-123-the-world-of-eric-carle.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00003ffb.bin
3c3c46b6230a81ba31ddb2600b088955d4b50fb9556d5330306dd01bf4e6ff12		 pdf-embedded-script PDF decompressed stream script payload at offset 0x3FFB 36617 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.