Malicious PDF — malware analysis report

Static analysis result for SHA-256 e404a4fef8a30815…

MALICIOUS

PDF

141.0 KB First seen: 2022-05-13
MD5: 67db60f80efa8820633911b3ada48275 SHA-1: 46ce8e54e5b8b558f99e6d9ee257f01d51be1f6a SHA-256: e404a4fef8a30815cdf6805f18c0022df2255d63e03bbce4da13ab9e0687fa13
96 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains a direct link to a RAR archive, identified as a malicious payload. This suggests the document is designed to trick the user into downloading and potentially executing the contents of the archive, masquerading as a legitimate PDF viewer. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5605

Heuristics 4

  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adoba-us.online/pdf-viewer-online.rar
    • https://cdn.discordapp.com/attachments/847360629584560142/890129043784101898/Order_-2021_09_22.zip
    • https://cdn.discordapp.com/attachments/847360629584560142/890477971549331486/CQMS018669_DN.zip
    • https://cdn.discordapp.com/attachments/847360629584560142/891937736909541428/Revised_DWG_original_copy_for_confirmation.cab
    • https://cdn.discordapp.com/attachments/917649518370119694/920205712154574858/PO_00046HG.rar
    • https://cdn.discordapp.com/attachments/917649518370119694/946385539572072528/RFQ-0097HK.rar
    • https://cdn.discordapp.com/attachments/917649518370119694/955450037125672960/k5HmhBPd5BZ1MtD.rar
    • https://cdn.discordapp.com/attachments/958234472795500567/974218477244137512/Quotation_for_Order.rar
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • https://apps.usw2.pure.cloud/s/#/1/bxu4k54ncfgevbo6muaa6mb3pu

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_020_off00015b72.js
7f68060c12aa0490b4931a4c59d9b4ed69304fdf612094ec02ce5870c9abcc2c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15B72 246 bytes
stream_023_off00016e1e.js
69f60f68bb9219e9ea5949536437c380264306c7609853d33b1e5f77724f9929		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16E1E 242 bytes
stream_026_off000180cb.js
3430f424cc7a38d474663c2e659648f1aa151eb2bdb5495f9420856c9ada15b8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x180CB 271 bytes
stream_029_off0001938c.js
361a8d1632524fec68078fff63f8febf27e0dbf03aff7d6acc19378d7722a2a5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1938C 239 bytes
stream_045_off00020c68.js
198b232c0f1aec1494ac7a2696b02e695b8e2c8d08c4d7e6cefac148714b309f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x20C68 239 bytes
stream_048_off00021f3b.js
aa4f3d959e53bad6616f4680317bb27cce3ce08dcf733b7621a7c757c9ee5a26		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21F3B 244 bytes
stream_051_off000231ec.js
c43b8e22fb9621201185884f2fae226321af5865a0c2100283b387a3af78a208		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x231EC 248 bytes
font_00_cff_off000013b2.bin
0aa7e1e502c31d9b78ae9c062dba03ae72635b220e710c3b1425bec8ec8037eb		 pdf-font-stream PDF embedded font (cff) at offset 0x13B2 2326 bytes
font_01_cff_off0001c24c.bin
9fe5f405ce5133d434c5db902a7424cc558aa409f81c3303483d5495fd3f23bb		 pdf-font-stream PDF embedded font (cff) at offset 0x1C24C 782 bytes
font_02_cff_off000206cb.bin
09ccc80332b6bada661298f5a2f523284155be737d2d5cf3faf2fba82aeb19a6		 pdf-font-stream PDF embedded font (cff) at offset 0x206CB 1172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.