SUSPICIOUS
44
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains an embedded URL that is likely intended to lead the user to a malicious site. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests that the document may also contain instructions for executing commands using Windows scripting tools, potentially to download and execute a second-stage payload. The document body itself is heavily obfuscated and does not provide clear textual lures.
Machine Learning
- Nyx PDF Classifier clean score 0.0001
Heuristics 3
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://read.pudn.com/downloads81/sourcecode/windows/system/315403/05%20Thread.pdf In PDF document text
- http://pleak.pl/index.php?cmd=getload&login=30EAA3B33DDFACD6B9394A2489D3E99784E6E6F2&sel=77777&ver=5.1&bits=0&admin=1In PDF document text
- http://totalhash.com/analysis/df7e46e629d2f9f1444298dc9c1350d0ec726817In PDF document text
- http://pleak.pl/index.php?cmd=getload&login=30EAA3B33DDFACD6B9394A2489D3E99784E6E6F2&sIn PDF document text
- https://twitter.com/malwaremustdie/status/340186507371491328PDF link annotation
- http://now.avg.com/zeus-bot-czech-republic/In PDF document text
- https://www.virustotal.com/en-In PDF document text
- http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
- http://www.microsoft.com/typographyIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_009_off0001d51a.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1D51A | 2260026 bytes |
SHA-256: 80a863cbe994d1abd434f9bc28d9c33a7ab4740c870bda70632c178a57f8e7ec |
|||
stream_036_off000866a1.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x866A1 | 202768 bytes |
SHA-256: 96d67bae637b019f031dd73fd5b651eaa9753bb8414c7ee4105ae4d38634e069 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.