Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e1ca2e74b3cd5ad…

MALICIOUS

PDF

212.1 KB Created: 2017-07-06 10:58:32 UTC Authoring application: RAD PDF (via RAD PDF 3.4.0.0 - http://www.radpdf.com)
MD5: e7c31397b6f1abe4bc22158ee7418a05 SHA-1: d63b9b3f719d3066cff76c7cd0fe3c9169e8600a SHA-256: 9e1ca2e74b3cd5adf0e057ea39ef3e58807960c6c41e33ae1a02d9a229e2fd42
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains multiple invisible links, a common technique for luring users to download malicious payloads. One such link points to 'http://techsales.tk/luckmas/zadisparc.exe', which is highly suspicious. The heuristic 'PDF_REPEATED_PAYLOAD_LINK_LURE' confirms this behavior. No scripts were extracted, but the presence of the executable URL is sufficient evidence for the attack pattern.

Machine Learning

  • Nyx PDF Classifier clean score 0.0143

Heuristics 2

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://techsales.tk/luckmas/zadisparc.exe
    • http://www.radpdf.com)/Author(\)\))/Creator(RAD
    • http://www.dynaforms.com
    • http://www.radpdf.com
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Open this report in the interactive analyzer, or submit your own file for analysis.