Malicious PDF — malware analysis report

Static analysis result for SHA-256 5237c6afdcd6583a…

MALICIOUS

PDF

167.6 KB Created: 2016-10-10 08:59:52 UTC Authoring application: RAD PDF (via RAD PDF 2.37.0.0 - http://www.radpdf.com)
MD5: fb0bb0b12499a599e334376b36e42480 SHA-1: 9fec0173fb5a4dc5ff40c7bce6804c61180d196b SHA-256: 5237c6afdcd6583af60090b4169985539cea21beff50c5fbd9b72af8b19cbf6e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF is identified as an image-only lure, typical of phishing campaigns. It contains an embedded JavaScript stream and multiple external URIs, including a URL shortener, which are used to redirect the user to potentially malicious websites. The ML classifier also flagged this PDF as malicious. The primary attack pattern involves tricking the user into clicking a link disguised as document content, leading to a second-stage download or redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8607

Heuristics 5

  • Image-only PDF lure links through URL shortener high PDF_IMAGE_LURE_SHORTENER_LINK
    PDF is image-heavy with little real text and its clickable action points to a URL shortener. This is a high-confidence credential-phishing carrier shape: the visible page is a screenshot-like prompt while the destination is hidden behind redirect infrastructure.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 1 text block(s), carries a click-outward action, and is only 167 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.diamondcreationslb.com/doc/rdd.htm
    • http://ruseuropharm.ru/tobi/index.php
    • http://overcloudsrl.com/pdf/FundzyPdf/index.php
    • http://overcloudsrl.com//inno/index.php
    • http://tcil-bd.com/nonso/index.php
    • http://tcil-bd.com/images/brsoalex/index.php
    • http://tcil-bd.com/js/subebe/index.php
    • http://tcil-bd.com/shub/index.php
    • http://tcil-bd.com/images/subebe/index.php
    • http://www.radpdf.com)/Creator(RAD
    • http://www.dynaforms.com
    • http://www.radpdf.com
    • http://bit.ly/2un7K34
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001922.bin
d43e7b69e1e25fe070d522da94c4396003aae12eb7a75aecb2cc0f5e5feef6a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1922 73728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.