Malicious PDF — malware analysis report

Static analysis result for SHA-256 db802f8e5554b48e…

MALICIOUS

PDF

72.8 KB Created: 2010-05-29 04:10:48 +00:00 Authoring application: ReportLab http://www.reportlab.com
MD5: e8dc73beac258958f9f6019fe0ea31d6 SHA-1: 93aa4f28f0f4171871facee1b05799c634c79f3b SHA-256: db802f8e5554b48e16dd843dc381d4a044f06089948cc294b07568f760bd6d34
126 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link

The PDF contains a direct link to an executable payload disguised as a Wikipedia article about payment services. The ML classifier also flagged this PDF as malicious. The presence of multiple embedded files and the use of PDF filters like ASCII85Decode suggest an attempt to obfuscate malicious content. The primary goal appears to be tricking the user into downloading and executing a payload, likely for financial fraud.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7386

Heuristics 7

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.reportlab.com
    • http://en.wikipedia.org/w/index.php?title=Payment_service_provider
    • http://en.wikipedia.org/w/index.php?title=24x7payments.com
    • http://en.wikipedia.org/w/index.php?title=AlertPay
    • http://en.wikipedia.org/w/index.php?title=Barclaycard_ePDQ
    • http://en.wikipedia.org/w/index.php?title=Beenz
    • http://en.wikipedia.org/w/index.php?title=Bucks_Net
    • http://en.wikipedia.org/w/index.php?title=CyberBucks
    • http://en.wikipedia.org/w/index.php?title=DigiCash
    • http://en.wikipedia.org/w/index.php?title=CyberCoin
    • http://en.wikipedia.org/w/index.php?title=Datacash
    • http://en.wikipedia.org/w/index.php?title=ECash
    • http://en.wikipedia.org/w/index.php?title=Elavon
    • http://en.wikipedia.org/w/index.php?title=FasterPay
    • http://en.wikipedia.org/w/index.php?title=Firstgate
    • http://en.wikipedia.org/w/index.php?title=Flooz
    • http://en.wikipedia.org/w/index.php?title=Heidelpay
    • http://en.wikipedia.org/w/index.php?title=HSBC
    • http://en.wikipedia.org/w/index.php?title=IKobo
    • http://en.wikipedia.org/w/index.php?title=IKP
    • http://en.wikipedia.org/w/index.php?title=LibertyReserve
    • http://en.wikipedia.org/w/index.php?title=MagicMoney
    • http://en.wikipedia.org/w/index.php?title=Microeuro
    • http://en.wikipedia.org/w/index.php?title=MicroMint
    • http://en.wikipedia.org/w/index.php?title=Micromoney
    • http://en.wikipedia.org/w/index.php?title=MilliCent
    • http://en.wikipedia.org/w/index.php?title=Mondex
    • http://en.wikipedia.org/w/index.php?title=Moneybookers
    • http://en.wikipedia.org/w/index.php?title=MPAY24
    • http://en.wikipedia.org/w/index.php?title=NetCash
    • http://en.wikipedia.org/w/index.php?title=Ouroboros
    • http://en.wikipedia.org/w/index.php?title=Pago
    • http://en.wikipedia.org/w/index.php?title=PayMe
    • http://en.wikipedia.org/w/index.php?title=PayPal
    • http://en.wikipedia.org/w/index.php?title=PayPay
    • http://en.wikipedia.org/w/index.php?title=PayPoint.net
    • http://en.wikipedia.org/w/index.php?title=PaySafeCard
    • http://en.wikipedia.org/w/index.php?title=PayYourRent.com
    • http://en.wikipedia.org/w/index.php?title=PayXpert
    • http://en.wikipedia.org/w/index.php?title=PayWord
    • http://en.wikipedia.org/w/index.php?title=PeerTransfer
    • http://en.wikipedia.org/w/index.php?title=Peppercoin
    • http://en.wikipedia.org/w/index.php?title=Qunits.net
    • http://en.wikipedia.org/w/index.php?title=RBS_WorldPay
    • http://en.wikipedia.org/w/index.php?title=Realex
    • http://en.wikipedia.org/w/index.php?title=RentPayment
    • http://en.wikipedia.org/w/index.php?title=Sage_Pay
    • http://en.wikipedia.org/w/index.php?title=Safecharge
    • http://en.wikipedia.org/w/index.php?title=Secure_Trading
    • http://en.wikipedia.org/w/index.php?title=SIX_Card_Solutions_GmbH
    +10 more URL(s)

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0090.bin
29199e2649df3ab0513ccc0a47a2e474a1a2f141419cde4387e929ade46403b3		 pdf-embedded-file PDF EmbeddedFile object 90 at offset 0xE204 32314 bytes
embedded_file_obj0088.bin
d81baa73e490e4cb879e13927cacd1dd1be37524a37eac51603e15117c578777		 pdf-embedded-file PDF EmbeddedFile object 88 at offset 0x1165D 84 bytes
embedded_file_obj0089.bin
24c130f03a4cf51d470b536e94c1e58af67665739e200e0ce198ad41086243c0		 pdf-embedded-file PDF EmbeddedFile object 89 at offset 0x1170F 228 bytes
embedded_file_obj0091.bin
c97e0522381d6196cc0695f35f4d065f15c9c86a9601a7f776c6afd3f4c6b460		 pdf-embedded-file PDF EmbeddedFile object 91 at offset 0x11800 199 bytes
embedded_file_obj0092.bin
846dfecc0c93797cb6db4301f6af323fffd76ffdf8c053c439495412785138e7		 pdf-embedded-file PDF EmbeddedFile object 92 at offset 0x118F1 119 bytes
embedded_file_obj0093.bin
e6c26a3478346d27e841ad49868ebf68bf4c6863b6750e8d60bda3c4c6f79876		 pdf-embedded-file PDF EmbeddedFile object 93 at offset 0x119A9 77 bytes
embedded_file_obj0094.bin
92a3ce61d783e15932b5de127ce45a9b4c2f98f4da2453f65241573c1dda808a		 pdf-embedded-file PDF EmbeddedFile object 94 at offset 0x11A50 56 bytes
stream_001_off000047d7.bin
dd61f9b7e9810726b48da8ef71fccdf9703f17e2db2b306fbf30e6ddffb21e06		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x47D7 14096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.