Malicious PDF — malware analysis report

Static analysis result for SHA-256 dad74432705bbcfe…

MALICIOUS

PDF

15.74 MB
MD5: 2b3f85cb9397e0773a8950d351787575 SHA-1: 5840d4275a39335bf73b08c0bf9457ebed49207d SHA-256: dad74432705bbcfefe3843b258f6b3fc97013dd909d14ef17e1f2545eca47475
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits characteristics of malicious intent, including the presence of a JPXDecode filter associated with CVE-2018-4990 and a high stream count suggesting obfuscation. The ML classifier also flagged this PDF as malicious. While no scripts were extracted, the combination of these factors strongly indicates an attempt to exploit a vulnerability for code execution, likely leading to the download of a secondary payload. The embedded URLs, though many are confirmed benign, point to a potential watering hole or phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5101

Heuristics 5

  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://omegasound.ru/)/S/URI/Type/Action
    • https://omegasound.ru/product/)/S/URI/Type/Action
    • https://omegasound.ru/product/brendy/)/S/URI/Type/Action
    • https://omegasound.ru/product/brendy/omegasound/)/S/URI/Type/Action
    • https://omegasound.ru/upload/iblock/2d2/al_mgn1.png)/S/URI/Type/Action
    • https://omegasound.ru/upload/resize_cache/iblock/854/1200_1200_0/alpha_mgn_ris1.jpg)/S/URI/Type/Action
    • https://omegasound.ru/upload/resize_cache/iblock/ce8/1200_1200_0/alpha_mgn_ris2.jpg)/S/URI/Type/Action
    • https://omegasound.ru/upload/resize_cache/iblock/b61/1200_1200_0/alpha_mgn_ris3.jpg)/S/URI/Type/Action
    • https://omegasound.ru/product/pozharnaya-signalizatsiya/)/S/URI/Type/Action
    • https://omegasound.ru/product/brendy/wheelock/)/S/URI/Type/Action
    • https://omegasound.ru/contacts/#feedback)/S/URI/Type/Action
    • https://omegasound.ru/DOC/ALPHA/instructions/MGN-Alpha-System.pdf)/S/URI/Type/Action
    • https://omegasound.ru/DOC/ALPHA/instructions/AL-MGN1_v2.pdf)/S/URI/Type/Action
    • https://omegasound.ru/DOC/STANDARDS/SP-59.13330.2016.pdf)/S/URI/Type/Action
    • https://omegasound.ru/DOC/ALPHA/certificate/certificate_tr_ts_al-mgn.pdf)/S/URI/Type/Action
    • https://omegasound.ru/product/sistemy-dvustoronney-golosovoy-svyazi/sistema-obratnoy-svyazi-alyona/1102/)/S/URI/Type/Action
    • https://omegasound.ru/product/brendy/omegasound/1070/)/S/URI/Type/Action
    • https://omegasound.ru/product/sistemy-dvustoronney-golosovoy-svyazi/sistema-obratnoy-svyazi-alyona/23033/)/S/URI/Type/Action
    • https://omegasound.ru/product/sistemy-dvustoronney-golosovoy-svyazi/sistema-obratnoy-svyazi-alyona/23035/)/S/URI/Type/Action
    • https://omegasound.ru/product/sistemy-dvustoronney-golosovoy-svyazi/sistema-obratnoy-svyazi-alyona/1099/)/S/URI/Type/Action
    • https://omegasound.ru/about/)/S/URI/Type/Action
    • https://omegasound.ru/DOC/XLS/Price_omega_10.01.2019.xls)/S/URI/Type/Action
    • https://omegasound.ru/where-to-buy/)/S/URI/Type/Action
    • https://omegasound.ru/news/)/S/URI/Type/Action
    • https://omegasound.ru/support/)/S/URI/Type/Action
    • https://omegasound.ru/contacts/)/S/URI/Type/Action
    • https://omegasound.ru/compare)/S/URI/Type/Action
    • https://www.elec-transfer.ru/)/S/URI/Type/Action
    • https://www.elec-transfer.ru/sistemy-dispetcherskoy-svyazi-i-vyzova-personala/)/S/URI/Type/Action
    • https://www.elec-transfer.ru/sistemy-dispetcherskoy-svyazi-i-vyzova-personala/omega-pro/)/S/URI/Type/Action
    • https://www.elec-transfer.ru/image/cache/data/i/cl/jb/d1eb2f23a436e58714a9695811b9aac6-500x500.jpeg)/S/URI/Type/Action
    • https://www.elec-transfer.ru/omega)/S/URI/Type/Action
    • https://mega-sb.ru/catalog)/S/URI/Type/Action
    • https://mega-sb.ru/oplata_i_dostavka)/S/URI/Type/Action
    • https://mega-sb.ru/contact)/S/URI/Type/Action
    • https://mega-sb.ru/garantii)/S/URI/Type/Action
    • https://mega-sb.ru/proektirovanie)/S/URI/Type/Action
    • https://mega-sb.ru/news)/S/URI/Type/Action
    • https://mega-sb.ru/text)/S/URI/Type/Action
    • https://mega-sb.ru/)/S/URI/Type/Action
    • https://mega-sb.ru/cart)/S/URI/Type/Action
    • https://mega-sb.ru/catalog/kabeli_i_provoda)/S/URI/Type/Action
    • https://mega-sb.ru/catalog/kabeli_i_provoda/kabeli__vitaya_para__lan)/S/URI/Type/Action
    • https://mega-sb.ru/media/item_foto/speclan_ftp-3nga-frls_2x2x052.png)/S/URI/Type/Action
    • https://mega-sb.ru/brand/%D0%A1%D0%BF%D0%B5%D1%86%D0%BA%D0%B0%D0%B1%D0%B5%D0%BB%D1%8C)/S/URI/Type/Action
    • https://mega-sb.ru/catalog/kabeli_i_provoda/kabeli_dlya_sistem_ohranno-pozharnoy_signalizacii)/S/URI/Type/Action
    • https://mega-sb.ru/catalog/kabeli_i_provoda/kabeli_dlya_interfyaysa)/S/URI/Type/Action
    • https://mega-sb.ru/catalog/kabeli_i_provoda/kabeli_radiochastotnye)/S/URI/Type/Action
    • https://mega-sb.ru/catalog/kabeli_i_provoda/kabeli_i_provoda_elektrotehnicheskie)/S/URI/Type/Action
    • https://mega-sb.ru/catalog/kabeli_i_provoda/kabeli_kombinirovannye_dlya_videonablyudeniya)/S/URI/Type/Action
    +953 more URL(s)

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_074_off00036758.bin
c5d9a4c2bf17fc75131c53c38debb8400d8ee7f3a70b95bd9bc0f4b0a000e041		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x36758 44132 bytes
stream_130_off00070056.bin
77f0ce02fcc71c9b54c2cfbb0a98c954076dd2a834eca8e9a7b100d758ad7d9e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x70056 31844 bytes
jbig2_00_off000fcc16.bin
515e55c68696b8dd6434221b2b6e606bb4d9d8841a255aa039673b4a8a922596		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xFCC16 90 bytes
jbig2_01_off0010a7eb.bin
d82947edf76b00ad5837ba44b24bd90da2c6f9af99fd1040137cb1decaad4e89		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x10A7EB 82 bytes
jbig2_02_off0010a8f9.bin
f04922d3de82c10bcb97c7da65006083ee9e5e18b1a69c66e67ad975ca78e505		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x10A8F9 156 bytes
jbig2_03_off00127201.bin
2840568e73f15b8a82e018acc185bdebe170f1f6e016914f9b2d4e5cdfa44b37		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x127201 118 bytes
jbig2_04_off001280be.bin
b9e8068a43dc7776882420559628f21f290960a0ef390f7d251cbaae586a92a6		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1280BE 117 bytes
jbig2_05_off0014aa15.bin
0b81fca07cfbb2b5ad5967c4691b3c0b353c71fe213df14c8555793c3f2b4b02		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x14AA15 387 bytes
jbig2_06_off0014adfd.bin
180633548fd2c69acc251e3efbf33ce9db853c7677993685e1d8de088514cef8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x14ADFD 85 bytes
jbig2_07_off00175de8.bin
08385bad6e6af25cbb1a0406050d9091595701cf2b817efdd2e02f0b0328782c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x175DE8 72 bytes
jbig2_08_off001c44a4.bin
82acc22c739657d6a7ff77ec4565b143777f79c05358cc4fa741fc7cebbcbf94		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1C44A4 118 bytes
jbig2_09_off001de473.bin
6e7890bb608374295bd8e77e344a44b3a2a6c84b79f6da848bfceb68ea6b45b3		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1DE473 130 bytes
jbig2_10_off001de735.bin
24e9fa549cad62427b842120c313add8dfcccd141bcfd2269be8e4c458425d2a		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1DE735 129 bytes
jbig2_11_off001deef0.bin
4e7694c193a922a533e36e66be3256cd1177fdc3c561427b0a2f918e33517023		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1DEEF0 131 bytes
jbig2_12_off0035d4c6.bin
14639e1eeae9c3079d9dbd6385fecd61e54f26cc3e24f58421dbb4274fc5a995		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x35D4C6 73 bytes
jbig2_13_off005b8dd6.bin
689949bad4356c16990e82d4dd957486947ea9d8d3b6436dcf3edb9966a70634		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5B8DD6 129 bytes
jbig2_14_off005b9095.bin
69974d17aeb68264b847f17009a2c136972e18757cbffbf206b7ec1a4f54dc6c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5B9095 143 bytes
jbig2_15_off005b9362.bin
f04e6baacf6f36cf8bee22f5fb2bc072e8bbdb9c18de07cb372fb71a16f0c9f0		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5B9362 136 bytes
jbig2_16_off005b9628.bin
32db8e9c94fe999f2f59ce1febc6b7897bee03142f06a4b7875b42c9d7d11834		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5B9628 123 bytes
jbig2_17_off005b98e1.bin
cb973ca2a5463b539ddb8e49feb188d1b329212ae1844a81b09d3e4d08e2bd22		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5B98E1 112 bytes
jbig2_18_off005b9b8f.bin
da6ffcbcc7c4f5465feaa9a7f5c6398b1e7bd88a533f1fd4d485311fc212bdeb		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5B9B8F 151 bytes
jbig2_19_off005b9e66.bin
1068504927fbf5e1700ce5e99af21aefaa92b108ac262a3e672a751b87aadfd3		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5B9E66 87 bytes
jbig2_20_off005bd5f0.bin
b6185def850cb2bbf2e6977715337c5b33027097e2686fff6abfeb227fbbd357		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5BD5F0 73 bytes
jbig2_21_off005cdc0b.bin
d593957787b0f6ca4e0757e1115f0f64f08e29db3b75993d1f8ebd2845591fb7		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5CDC0B 88 bytes
jbig2_22_off005e4a0d.bin
98f878b74a65dcf0f810c6fd6a2e909fff396598d7d8286bb28548b4334f001e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5E4A0D 72 bytes
jbig2_23_off005e506a.bin
00afa4cbe42b03c8e1b8f6a2b354f534d537f15df774af92b8b6503623dfa84a		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5E506A 119 bytes
jbig2_24_off005fde5d.bin
18696623de8c7cd2382b374b1dff25a27cc2537ea90cf8f9d859605458b603e6		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5FDE5D 410 bytes
jbig2_25_off005fe931.bin
0d14629ada72e7052154022160f1f7daaa40ca946b7149a618c46162c5656859		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5FE931 72 bytes
jbig2_26_off00e0bf76.bin
f0bc4c068d57d1eb1be55aa2eccf17e172f2104043161fdbf48b38460431d58f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xE0BF76 836 bytes
jbig2_27_off00e21144.bin
92cdbf77a2df2771df34fa340ddd8947f64173c387e45c939ebe2082d33ebfb5		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xE21144 72 bytes
font_00_sfnt_off0000c660.bin
26e2fab01b8c6439a97ac41a90cad97021e3130e8f5913b764b97004601f5c5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC660 13248 bytes
font_01_sfnt_off0000e8f5.bin
0c6c85292158e7e2bc5286e3e12006c6413d7b914c427f100a1472ac571ef174		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8F5 4136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.