Malicious PDF — malware analysis report

Static analysis result for SHA-256 9918744456f29921…

MALICIOUS

PDF

1.91 MB Created: 2020-05-13 02:08:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8679c8a9955f81d899c4584f25be09ad SHA-1: 7115a0b41cbe45caf231528de8397f3f8deec6d0 SHA-256: 9918744456f299214b40b606ac891ecbf9423c7996c721282666baa653c2725c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1059.003 Windows Command Shell T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded JavaScript and multiple external URLs, with a critical heuristic indicating repeated invisible links designed to deliver a payload. The document body explicitly instructs the user to copy and paste commands into execution contexts like Run or PowerShell, and a specific URL points to a ZIP archive. This suggests a multi-stage attack where the PDF acts as a lure to download and execute a secondary payload.

Heuristics 6

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://darksidecrew.co/
    • https://www.xup.in/dl,14882471/Anonym-im-Internet-mit-Tor-und-Tails.pdf/
    • https://www.xup.in/dl,20102652/Tails2019-01-27-A4.pdf/
    • https://files.giga-downloads.de/system/Cortana_deinstallieren.zip
    • https://technitium.com/tmac/
    • http://kernsafe-totalmounter.softonic.de/
    • http://www.gburner.com/online-help/virtual-drive.htm
    • https://github.com/bwalex/tc-play
    • https://html2pdf.com/files/m82vytwnkvxneqb8/o_1e85lnbv4ir61lls1356h971us2b/Darksidecrew.co%20-%20Freiheit%20ist%20das%20Recht%20auf%20Anonymit%C3%A4t%20v1/download/user.js
    • https://www.proxifier.com/download/
    • https://vip72.com/
    • https://www.darksidecrew.co
    • https://winfuture.de/downloadvorschalt,1329.html
    • https://de.wikipedia.org/wiki/Advanced_Encryption_Standard
    • https://de.wikipedia.org/wiki/Twofish
    • https://de.wikipedia.org/wiki/Serpent_\(Verschl%25C3%25BCsselung\
    • https://de.wikipedia.org/wiki/RIPEMD-160
    • https://www.veracrypt.fr/en/Home.html
    • http://mhogomchungu.github.io/zuluCrypt/
    • https://de.wikipedia.org/wiki/Device_Mapper
    • https://de.wikipedia.org/wiki/Ext4
    • https://de.wikipedia.org/wiki/Einh%25C3%25A4ngepunkt
    • https://www.mozilla.org/en-US/firefox/organizations/all.html
    • https://addons.mozilla.org/de/firefox/addon/ublock-origin/
    • https://addons.mozilla.org/de/firefox/addon/uaswitcher/
    • https://developers.whatismybrowser.com/useragents/explore/operating_system_name/android/
    • https://addons.mozilla.org/de/firefox/addon/noscript/
    • https://www.perfect-privacy.com/downloads/Perfect-Privacy-VPN_Setup.exe
    • https://www.perfect-privacy.com/downloads/Perfect-Privacy-SSH_Setup.exe
    • https://www.perfect-privacy.com/downloads/updown.sh

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00000628.bin
17f8f8a048868f75b24158c856a94ca90ec0693e7d89b82f91087447e045bf1f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x628 10125 bytes
stream_079_off0017f9d7.bin
5551311b280d3d4c143e3dcf53c0417e8bb371f969ff4e7b2103fa1a62d219ac		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17F9D7 1064385 bytes
stream_119_off001d78d5.bin
22e3849e7f8a1ac64cbc848671cb67ce054c4b0f98dfb0d746f40fbe6258212c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D78D5 16604 bytes
font_01_sfnt_off001da825.bin
4a844010f4aba4f4834981df2e5c7e7261a414a52025b63280f8cad863b14af4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DA825 10744 bytes
font_02_sfnt_off001dc3d6.bin
cc613d23deb3d4e2930b42f0f97775d97bd275c91fc929fcfd07209004ea41d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DC3D6 15596 bytes
font_03_sfnt_off001deecd.bin
5ae7e8a0d3a2ff11caff4bdf32ec7c3db9965b65e955d7ffc4e0f66355d1deea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DEECD 7592 bytes
font_04_sfnt_off001e0024.bin
6085e52fe09c1d91628623df19eab47409e96f447a3b09858de96303cedc90de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E0024 1996 bytes
font_05_sfnt_off001e08ee.bin
d248493dfd90e1ca20090324cbd4def1989c8888b455155da8afcfdd1594f892		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E08EE 4648 bytes
font_06_sfnt_off001e18c7.bin
ebd992dbe39ecad58c8cba434ee9ac77460270b966bb336e6795ba751f2015fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E18C7 3376 bytes
font_07_sfnt_off001e23bd.bin
4fe76ea16df703bf76cc025ee5ed23641eb5001356fdbbdf9d9dca44983ac486		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E23BD 22328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.