PDF static analysis report

Static analysis result for SHA-256 f543e78798825855…

SUSPICIOUS

PDF

692.1 KB Created: 2015-01-29 22:56:38 -05:00 Authoring application: Microsoft® Word 2013 First seen: 2015-06-23
MD5: da0281de592513a30a147e4fc29a4fe5 SHA-1: e2d32ce627286bf3fc1c612c2e1aca3bd3c41283 SHA-256: f543e78798825855bb876644d81a2a3c2dd98e84a5f5ce1736d763851fbe7e78
44 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains an embedded URL that is likely intended to lead the user to a malicious site. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests that the document may also contain instructions for executing commands using Windows scripting tools, potentially to download and execute a second-stage payload. The document body itself is heavily obfuscated and does not provide clear textual lures.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 3

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://read.pudn.com/downloads81/sourcecode/windows/system/315403/05%20Thread.pdf In PDF document text
    • http://pleak.pl/index.php?cmd=getload&login=30EAA3B33DDFACD6B9394A2489D3E99784E6E6F2&sel=77777&ver=5.1&bits=0&admin=1In PDF document text
    • http://totalhash.com/analysis/df7e46e629d2f9f1444298dc9c1350d0ec726817In PDF document text
    • http://pleak.pl/index.php?cmd=getload&login=30EAA3B33DDFACD6B9394A2489D3E99784E6E6F2&sIn PDF document text
    • https://twitter.com/malwaremustdie/status/340186507371491328PDF link annotation
    • http://now.avg.com/zeus-bot-czech-republic/In PDF document text
    • https://www.virustotal.com/en-In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off0001d51a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D51A 2260026 bytes
SHA-256: 80a863cbe994d1abd434f9bc28d9c33a7ab4740c870bda70632c178a57f8e7ec
stream_036_off000866a1.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x866A1 202768 bytes
SHA-256: 96d67bae637b019f031dd73fd5b651eaa9753bb8414c7ee4105ae4d38634e069