PDF malware analysis — malicious · ea825403159f359c

MALICIOUS

PDF

276.0 KB Created: 2014-11-06 12:23:21 +05:30 Authoring application: 377376M(Foxit Advanced PDF Editor) (via 376377000M000i000c000r000o000s000o000f000t000256000 000W000o000r000d000 0002000000010000)

MD5: 1cc487caf236c9f64e76fe8d55c752d0 SHA-1: 472e1890a248ab435a3791e9c05119735e043e6a SHA-256: ea825403159f359c5f3a8526bccfea5184c29aaba651fe9c12120656d21ac6cc

150 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF contains a direct link to an executable archive, identified by the 'PDF_DIRECT_PAYLOAD_LINK' heuristic. The embedded URL points to an IP address, which is also flagged by 'PDF_URI_IP_LITERAL'. The combination of these heuristics and the ML classifier's positive prediction strongly indicates a malicious intent to deliver a payload. The document body, though heavily obfuscated, contains the same URL, reinforcing the finding.

Machine Learning

Nyx PDF Classifier malicious score 0.7154

Heuristics 4

PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK

PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION

PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL

PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://190.14.37.19/~thaisupp/Document-27893.zip

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0002ceca.bin` `f4d9e7725a333d8ca79690a6b06ea00b60201e6fd496ec8e0e8620fb10cbb311`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2CECA	12812 bytes
`font_01_sfnt_off0002ee79.bin` `7173fa636b8009341790637e2858d28ad117f013341c61275273629d17f6b15a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2EE79	17308 bytes
`font_02_sfnt_off00031be2.bin` `cf8f2850556b82e3efb58b6339e80a02b325fb81d6f7583591638eabb1edd72d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x31BE2	17048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.