Malicious PDF — malware analysis report

Static analysis result for SHA-256 f01b48c76ad01405…

MALICIOUS

PDF

165.9 KB Created: 2016-12-26 20:42:28 +08:00 First seen: 2018-11-13
MD5: fa761ad92c8ae89b8eeee0e744f6da2b SHA-1: 97b29971496fa01ca7a84a364e32f520de2b43a8 SHA-256: f01b48c76ad0140595b00371b8ebd86d4ab36c9ec2896868a2393314825d1912
78 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains an embedded URI pointing to a suspicious external resource. This URI is likely intended to trick the user into downloading a secondary malicious PDF. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of the external link strongly suggests a social engineering attempt to deliver further malware. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier clean score 0.0566

Heuristics 6

  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dubaipropertyrentals.net/idealow/causemusic.php/ozaiaGrwrmsJYGhheuorrPwJQd16215447ese.pdf PDF link annotation
    • http://dubaipropertyrentals.net/idealow/causemusic.php/uanmtwakfm_hQonPGr16243708b.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/ovo_ebhhzdlG16216121ul.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/PfddeP16215582bdJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/zozeeYesGYcioYG16215280l_m.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/buwPlabt_ki_sl16215781ewQf.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/QdnGsYuhkevGhQwmkhPokJxdr16215716b.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/xvow16215559J.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/hiiPnJrvvzzvQxhmkGlvelvds16215427Qf.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/zezthcQPcaiQovoaktsPfoQounsh16215923bm.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/uuiurihJsGek16215236_mfo.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/zceblnv_16215949o.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/JYnmmGdzPYfwmPvctfosnwmQz16215661rP.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/bcohxhJdarxanrbnwbhYrfsPtxxcm16215910Qs.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/tvfibuhkxkdtwuxYrQemPmxc16243867vn.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/_cxlJ16215311c.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/aiPvfi_rasoQinm16243709oQib.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/uk_atzwlb16243678dm.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/_rQswYQdie_tPuGllz16215476sm_d.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/zhidhtk_rds_mrhxxwxt_cem16215565Jw.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/wPh_cehttldrPumaxsYd_lkl16243879Jvhv.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/wudhmwG_YvwvwkePu16216148o.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/lntnfGtibmYri16215462Qrth.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/iemxJiYxvQhJrbPQucvev_Gs_so16243809iezv.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/eGxP16215475uueY.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/fihzofohkodauQQairrulcrac_w16215759nwc_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/e_Juro16215361u.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/w_hfGhhaze_16215719kcl.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/izGPweJuoulm16243710ht.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/zeoioQP16215707n.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/dkcYmccYiJxvchhs16215202u_Go.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/roJtbxkY_w16243749tYzo.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/zvevGhoYscxnvki_b16243655Jb.pdfIn PDF document text
    • http://www.citrusheightsplumbing.net/wp-includes/dhuGdwuGrkbbn15533787tb.pdfIn PDF document text
    • http://tandemparaglading.com/maket/vnvcrckrYdixoGwemkxfelwlltwzG15924115zJaP.pdfIn PDF document text
    • http://www.citrusheightsplumbing.net/tmp/Gmem_a15654524_z.pdfIn PDF document text
    • http://apbmchaplain.com/growstep/kaGbeu16115874Jhb_.pdfIn PDF document text
    • http://healthlink.org.au/dealactual/QiGtoPevsuQaovoovPbeGaikGGza15644657n.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/rvGnmklohzQzwYwzYJseaovQxdxea16243819_w.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/QJhJmGPhGxrodcmanxouwtG16243821Yeh.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/PbzQlYbekfJwbeuhwsPrhmdie16243726tQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/abnJmPkGmPezsvxYzYkJtn16215310h.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/bwGbJzctssJi16243755_Qa.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/QmYzfkxGto16243674J.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/mQJwYcw16215301sQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/lzeYQmidzcGcJsxozrYhcbGYm_16215536r.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/kmm16215438QGt.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/ivwrfaG16243647Pzkt.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/mfnwQrP_xzr__Pts__zrfarszrzneo16215226oll.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/wadaPcuzwfdvP16215600ch.pdfIn PDF document text
    +67 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000b856.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB856 20012 bytes
SHA-256: fde4a56613f3142d0275d401dfd2e4fe2e20ab986bc3024ccba69dce85ed2833
stream_015_off0001f150.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1F150 20308 bytes
SHA-256: 1cac92e4f225aa7afcd080642d5078839ef22260c31c3862a28b8de1d3ce036f
font_01_sfnt_off0000ee42.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE42 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off00012408.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12408 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1
polyglot_child_pdf_off00015fa0.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x15FA0 79830 bytes
SHA-256: 2a3e727345c4e58a726a6d4845391ea43bd81e1b5b2f91139fc2a0d4a0774f9d