Malicious PDF — malware analysis report

Static analysis result for SHA-256 b830b203f40ae6ec…

MALICIOUS

PDF

260.6 KB Created: 2015-11-03 13:05:56 +01:00 Authoring application: RAD PDF (via RAD PDF 3.5.0.0 - http://www.radpdf.com)
MD5: 8e2159692890b4904a1bf8eaa8a7fa65 SHA-1: 53f6355ebe99cb17411298ab022839b89d88d4d3 SHA-256: b830b203f40ae6ec94ed4086174a4b0be88ba8dc5646c913284f4634b42c5e88
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file is identified as an image-only lure, containing a single image and minimal text, designed to trick users into clicking a link. The embedded URL `http://ow.ly/UblNf` is a shortened link, which is a common tactic in phishing campaigns. Several other unknown URLs were also extracted, suggesting a redirection chain to a malicious site. The document body contains multiple potential landing page URLs, including `https://www.babawheels.com/wp/wee/gozypage/chines/?userid=%0%` and `https://jmdphysiotronic.in/dem/adobe.htm`, which are likely part of the phishing infrastructure.

Heuristics 3

  • Image-only PDF lure links through URL shortener high PDF_IMAGE_LURE_SHORTENER_LINK
    PDF is image-heavy with little real text and its clickable action points to a URL shortener. This is a high-confidence credential-phishing carrier shape: the visible page is a screenshot-like prompt while the destination is hidden behind redirect infrastructure.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 1 text block(s), carries a click-outward action, and is only 260 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.babawheels.com/wp/wee/gozypage/chines/?userid=%0%
    • https://jmdphysiotronic.in/dem/adobe.htm
    • https://fmiplan.tk/wep/adobe.htm
    • https://raysdieselservice.ca/seen/PDF2/PDFf2/PDF/PDF/PDF/cas.htm
    • https://bestdelivery.download/secured/save/PDF2/PDFf2/PDF/PDF/PDF/cas.htm
    • https://bestdelivery.download/date/PDF2/PDFf2/PDF/PDF/PDF/cas.htm
    • http://www.radpdf.com)/Creator(RAD
    • http://www.dynaforms.com
    • http://www.radpdf.com
    • http://ow.ly/UblNf
    • http://ow.ly/cI7c306miqc
    • http://www.iec.ch
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000bac.bin
ad57695567d52b9e680e89babc17966358eca0de6e7781016c1fac9dba5bbe4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBAC 173472 bytes
font_01_sfnt_off000140c9.bin
d43e7b69e1e25fe070d522da94c4396003aae12eb7a75aecb2cc0f5e5feef6a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140C9 73728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.