Malicious PDF — malware analysis report

Static analysis result for SHA-256 c10ff841b8b6bae6…

MALICIOUS

PDF

52.8 KB Created: 2016-08-25 18:47:25 UTC Authoring application: RAD PDF (via RAD PDF 2.38.3.1 - http://www.radpdf.com)
MD5: 0ae9fbf0673e90bf84b424b42a911496 SHA-1: b0f5f7fb722e5d0415f5ba9c36088bd334ed7818 SHA-256: c10ff841b8b6bae6b20af5a2498fe2ef08fbbd38ee45849cdc092fea5cb56ddd
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a direct link to a JAR file, identified by the 'PDF_DIRECT_PAYLOAD_LINK' heuristic. Additionally, a URL shortener is used, indicated by 'PDF_URL_SHORTENER_URI'. The primary goal appears to be tricking the user into downloading and running the malicious JAR file.

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 3

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://taact.co.in/dcheck/documents.jar
    • http://www.radpdf.com)/Creator(RAD
    • http://www.dynaforms.com
    • http://www.radpdf.com
    • http://ow.ly/rpdy303Acfm
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000705.bin
a61fd77231faea1132aa01b024c02d18a2d04ae53fd8b89a244f0b4010c3cbb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x705 43308 bytes
font_01_cff_off00004afd.bin
a2ec24f89aad35d0a61fe14f28c609fe1950faa01659450987a62dc4e0283aa4		 pdf-font-stream PDF embedded font (cff) at offset 0x4AFD 227 bytes
font_02_sfnt_off00004e62.bin
a0a749afe43adeecc79aa5a700c48f194f76b057d3502d7101d47cbe415e5990		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E62 48964 bytes
font_03_cff_off00009ed8.bin
ed9611373651b0f02ebc7b95ef190516fc9e6dacb8b68b6e2ed3de2025a42bd5		 pdf-font-stream PDF embedded font (cff) at offset 0x9ED8 229 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.