PDF malware analysis — malicious · df6dc4cfc3aa97a4

MALICIOUS

PDF

169.1 KB Created: 2017-09-06 17:02:09 +02:00 Authoring application: wkhtmltopdf 0.12.3 (via Qt 4.8.7)

MD5: 72d283a1f80e8c2800ac206d97045c29 SHA-1: 8525b2fbbba5715c99f4db679af5e8d3167cc747 SHA-256: df6dc4cfc3aa97a4c831ab37a365c1be2b1f1b39eb4982e5b81f199948d7add0

110 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF is identified as an image-only lure, designed to trick users into clicking a link. The document contains a clickable action that redirects to the URL http://www.bcswomen.net.bd/wp-content/plugins/xaisyndicate/admiral.php, which is likely malicious. Additionally, a URL shortener, http://ow.ly/Vvqc30f2wdo, is used, which also points to a potentially malicious destination. The combination of these factors strongly suggests a phishing or malware delivery attempt.

Heuristics 6

Image-only PDF lure links through URL shortener high PDF_IMAGE_LURE_SHORTENER_LINK

PDF is image-heavy with little real text and its clickable action points to a URL shortener. This is a high-confidence credential-phishing carrier shape: the visible page is a screenshot-like prompt while the destination is hidden behind redirect infrastructure.
Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION

PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 169 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.bcswomen.net.bd/wp-content/plugins/xaisyndicate/admiral.php
- http://flyt.it/app-stores
- http://flyt.it/newmail
- http://flyt.it/lowcos
- http://flyt.it/franks
- http://www.sullmaq.com.br/site/components/com_foxcontact/kambing.php
- http://medlib.dp.gov.ua/jirbis2/components/com_foxcontact/tampaneri.php
- http://ow.ly/Vvqc30f2wdo
- http://ow.ly/emCg30fVYlo
- http://ow.ly/Gf5T30fWXBo
- http://ow.ly/1ze430fYH9V
- http://ow.ly/jEpb30fYQjX
- http://ow.ly/AqLy30g0OrD
- http://ow.ly/d1cG30g1cMa
- http://ow.ly/MnZV30g2wWm
- http://ow.ly/ZfEh30g5aVY
- http://ow.ly/MEKd30g5Y7C
- http://ow.ly/OVg930g7meB
- http://ow.ly/2mfb30g90Bs
- http://ow.ly/38zk30gaQGT
- http://ow.ly/gxPh30gbYcY
- http://ow.ly/Qi3P30gcszk
- http://ow.ly/Fs1L30ge5D7

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00001483.bin` `c2d34deb8f03a6b49794cf6645264f682ca22e63d0ca9f47403ea57443133651`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1483	8976 bytes
`font_01_sfnt_off00002b4c.bin` `72410b89e1a86d30804ce4f8eab57e37bf666c7401af115dc92f44eb622e281e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2B4C	5104 bytes
`font_02_sfnt_off00003ea2.bin` `2adc694fca752c584d4707369fb1d21897cea17cbe91a7c2f41fc963409e5ca9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3EA2	5772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.