Malicious PDF — malware analysis report

Static analysis result for SHA-256 50c2fd1b8783ddbd…

MALICIOUS

PDF

73.5 KB Created: 2020-12-18 00:31:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 031bca68bea68773ae06ef2255066243 SHA-1: d668be51acf692a49005d48d47035e90faab5326 SHA-256: 50c2fd1b8783ddbd0f8a261b5b54390d85fa2e75f3bc0ee0979e5767b44502cb
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.007 JavaScript

The PDF document contains lures for installing browser extensions or updates and mentions remote support tools, suggesting a social engineering attack. The embedded URL points to a site offering 'idm crack key', indicating a likely attempt to trick users into downloading malware or unwanted software. While no scripts were explicitly extracted, the ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/123?utm_term=idm+crack+key+6.38
    • https://cdn-cms.f-static.net/uploads/4417817/normal_5f9e76464a4ef.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe17323f75b166439d40fd/1606293298683/93886171891.pdf
    • https://static1.squarespace.com/static/5fcecd218de958422211e0c6/t/5fd6560b0f11661d4c29d1ac/1607882252719/eldora_speedway_weather_report.pdf
    • https://static1.squarespace.com/static/5fc5cfc3c6d964583643b87e/t/5fd06303a040431536bd71f7/1607492367847/69907419217.pdf
    • https://uploads.strikinglycdn.com/files/9149e9e1-7a4a-4b94-aaaf-354d7b528b22/vafasav.pdf
    • https://uploads.strikinglycdn.com/files/d0a15020-1f3e-4def-8b84-c93e77d163ff/gokajezozizejujesarumolen.pdf
    • https://uploads.strikinglycdn.com/files/cc74ccc6-e86f-4ce3-9e3f-4488d127a770/84573479313.pdf
    • https://static1.squarespace.com/static/5fc6d3bb48c1673e5598f85d/t/5fcffaa3ec2ae40ed735fe37/1607465636213/68703872918.pdf
    • https://static1.squarespace.com/static/5fce91384b94e834a3a4af0a/t/5fd60a2ec4373837b9013763/1607862840503/je_me_dbrouille_en_anglais_gratuit.pdf
    • https://static1.squarespace.com/static/5fc5de01bd14ff0dd2be9a03/t/5fcabf045480b554f8a083bf/1607122692904/train_simulator_online.pdf
    • https://s3.amazonaws.com/xuxifuzituwu/vezojixogaxupemef.pdf
    • https://uploads.strikinglycdn.com/files/ed7fe4e9-0d58-4513-b3f3-47f9bd56d5d1/remove_nth_node_from_end_of_list_leetcode_python.pdf
    • https://s3.amazonaws.com/baxadelefofibuz/give_up_unblocked_2.pdf
    • https://s3.amazonaws.com/kudefem/laziximege.pdf
    • https://uploads.strikinglycdn.com/files/6a13e76f-16a0-46ef-ad2a-c95802e44511/867080935.pdf
    • https://static1.squarespace.com/static/5fc110906609fd0ee7923de0/t/5fcf05d7b8233e30dfa1c9db/1607402968491/65990902782.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e11c.bin
aba1a0ff20393755841b13fee3432bdf87a1009d8cbe151ce2bd7993c53a122a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE11C 5520 bytes
font_01_sfnt_off0000f3d8.bin
8b11fc57d209cf02a601298263ce62dda06d52af94c129851457a641d1b903f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3D8 10948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.