Malicious PDF — malware analysis report

Static analysis result for SHA-256 96beff905aa8ec43…

MALICIOUS

PDF

47.2 KB Created: 2020-08-17 18:32:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a41363149e9d42bdfb8d4a1f04c145b SHA-1: 56f09281264e0e6424157aa5f2a3f9dd6127bb46 SHA-256: 96beff905aa8ec437b9b9fe7c19116432ac983fbdfdcae21a852ecdd700376e1
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link T1071.001 Web Protocols

The PDF contains an embedded script payload and links to a known malicious redirector. The document body also contains instructions that lure the user into executing commands via the clipboard, likely involving PowerShell, as indicated by the 'battery report powershell' string. This suggests the PDF is designed to download and execute a second-stage payload from the provided URL.

Heuristics 7

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=battery+report+powershell
    • http://files.blackraven6.com/uploads/1/3/0/7/130739147/b9b27100.pdf
    • https://cdn.shopify.com/s/files/1/0434/2513/6797/files/behavior_management_plan.pdf
    • https://cdn.shopify.com/s/files/1/0437/7211/7141/files/9283460274.pdf
    • https://cdn.shopify.com/s/files/1/0438/4089/7181/files/boiler_nptel.pdf
    • https://cdn.shopify.com/s/files/1/0429/5216/3481/files/gijupitejosuviriw.pdf
    • https://cdn.shopify.com/s/files/1/0441/1280/6040/files/66783318166.pdf
    • https://cdn.shopify.com/s/files/1/0432/7528/8742/files/40403557874.pdf
    • https://cdn.shopify.com/s/files/1/0446/5029/9555/files/diablo_2_lod_no_cd_torrent.pdf
    • https://cdn.shopify.com/s/files/1/0428/0667/3574/files/lg_direct_drive_dishwasher_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/1675/7154/files/65864102959.pdf
    • https://cdn.shopify.com/s/files/1/0435/8832/1435/files/divitasazilulonudorotepas.pdf
    • https://cdn.shopify.com/s/files/1/0438/8945/9368/files/77671796973.pdf
    • https://cdn.shopify.com/s/files/1/0431/5162/2306/files/68929833822.pdf
    • https://cdn.shopify.com/s/files/1/0432/4550/2626/files/43831118866.pdf
    • https://cdn.shopify.com/s/files/1/0431/7616/5536/files/marine_seismic_data_acquisition.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000b78a.bin
b5323efedf40c68e24ef5f536a0f096b9903c93266b8115d41f44b8a7bb074e4		 pdf-embedded-script PDF raw stream script payload at offset 0xB78A 1596 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s).
font_00_sfnt_off000063e6.bin
97caa53d47adef402755874f8d7e19ef8b0b14ba73918edb149ee105c15b6f36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63E6 5152 bytes
font_01_sfnt_off00007578.bin
4155138f80d5830279418e39c74b97c42757f9327a31358a2d7734fbeb1f2477		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7578 10712 bytes
font_02_sfnt_off00009a1d.bin
aad9bc0f36eadc3314e08670b59090120051e308b357201f134af3d0b781b2b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A1D 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.