Malicious PDF — malware analysis report

Static analysis result for SHA-256 007ff6b99854f969…

MALICIOUS

PDF

58.0 KB Created: 2015-07-19 22:40:03 +01:00 Authoring application: RAD PDF (via RAD PDF 3.2.1.0 - http://www.radpdf.com)
MD5: 4e00a8971595171d402fabcdc1180eae SHA-1: ca92468554d14a8c8f91db9ce7dfc46842b3198b SHA-256: 007ff6b99854f969f67391582df6264177579cc9e16e2b57e03c6afac2c2ceb6
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains multiple invisible and repeated links designed to trick the user into clicking them. One of these links points to a URL that hosts a Java payload (CONT_WX_BAS.jar). The use of URL shorteners further obfuscates the final destination, indicating a downloader or droppper functionality.

Machine Learning

  • Nyx PDF Classifier clean score 0.0008

Heuristics 3

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bit.do/eaVRc
    • http://bdorthocare.com/imi/CONT_WX_BAS.jar
    • http://www.radpdf.com
    • http://www.radpdf.com)/Author(Emarhall)/Created(D:20150704)/Creator(RAD
    • http://www.dynaforms.com
    • http://tinyurl.com/pvp8od3
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.iec.ch

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off0000045e.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x45E 3144 bytes
icc_01_off00000ed9.icc
653b586c4707574ffcd648ba35494daed2c76ceafcf4c07d315ed961b1dc347f		 pdf-icc-profile PDF ICC profile at offset 0xED9 408 bytes
font_00_sfnt_off000024b8.bin
eff80aa9330501f5facb258b64b731fa633d6d8d7348aeed7b81a2a7310bb3b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24B8 50561 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.