Malicious PDF — malware analysis report

Static analysis result for SHA-256 c70927f0faf06cb7…

MALICIOUS

PDF

199.7 KB Created: 2016-08-25 07:52:02 +01:00 Authoring application: RAD PDF (via RAD PDF 2.35.6.2 - http://www.radpdf.com) First seen: 2021-05-29
MD5: 23f6257daa5f93d878cdc0ada62e8e8f SHA-1: c32cdce25a709ccfec4e308c2e074b28693aa4ca SHA-256: c70927f0faf06cb7c70810bebc5119fee25bbfaf1d0660beb596b56088bd659a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains multiple embedded and invisible links designed to trick the user into downloading a payload. The primary malicious URL identified is http://www.pdfupdatersacrobat.top/website/hts-cache/index.php?userid=info@narainsfashionfabrics.com, which is repeatedly linked within the document body. The use of URL shorteners and Dropbox links suggests an attempt to obscure the final payload destination. No scripts were extracted, but the structure strongly implies a downloader or dropper functionality.

Machine Learning

  • Nyx PDF Classifier clean score 0.0834

Heuristics 3

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdfupdatersacrobat.top/website/hts-cache/index.php?userid=info@narainsfashionfabrics.com In PDF document text
    • http://sajiye.net/file/website/file/main/index.php?userid=alwaha_alghannaa@hotmail.comIn PDF document text
    • http://sajiye.net/file/website/file/main/index.php?userid=kitja@siamdee2558.comIn PDF document text
    • https://www.dropbox.com/s/3yhla32uwiuuepf/OurOrder_Details_pdf.uue?dl=1In PDF document text
    • https://www.dropbox.com/s/2whcvlj8zdftzrr/Payment_Pdf.uue?dl=1In PDF document text
    • https://www.dropbox.com/s/0m7q431ylna3clt/PAYMENT_19016_pdf.uue?dl=1In PDF document text
    • http://www.radpdf.comIn PDF document text
    • http://www.radpdf.com)/Author(alesky)/Creator(RADIn PDF document text
    • http://www.dynaforms.comIn PDF document text
    • http://ow.ly/YeuLQIn PDF document text
    • http://bit.ly/20X34urIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010d7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D7 168888 bytes
SHA-256: 979e2568a5296c27334e70aedc0866d374f2b4caf95574736cf51bb4006b8059
font_01_sfnt_off00014901.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14901 169476 bytes
SHA-256: a6eacb5f4c318f191f5c7ef56b8a9d24965db43dd12e86dc8eafc984e1163d47