Malicious PDF — malware analysis report

Static analysis result for SHA-256 0272f4cedf773afd…

MALICIOUS

PDF

54.2 KB Created: 2020-08-02 17:37:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 627c20184a9f5ff19450e29f039a4f1f SHA-1: 3e4ac4f03e4a68452bc96de75e92bca1075fdee0 SHA-256: 0272f4cedf773afd48d7b27ac7bc6a9ed9c8179dad931f8348d5f6698a915e35
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm and a primary malicious redirector URL, suggesting it's designed to lead users to malicious content or further stages of an attack. The document body, though obfuscated, contains keywords related to the malicious URL, reinforcing the lure. The ML classifier strongly indicated maliciousness, and the presence of numerous external links points to a link farm or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=install+unifi+controller+raspberry+pi
    • http://files.avrilstaple.com/uploads/1/3/0/8/130873791/9834435.pdf
    • http://files.blossomsbygeorgia.com/uploads/1/3/1/4/131411539/dejiwofadogazupemije.pdf
    • http://files.rheinelectrical.com/uploads/1/3/0/9/130969728/xituniziraruto_ralutopesaj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0434/6803/0102/files/39387131711.pdf
    • https://cdn.shopify.com/s/files/1/0430/4492/9690/files/jekijagafovafomenada.pdf
    • https://cdn.shopify.com/s/files/1/0433/8096/5534/files/90776857966.pdf
    • https://cdn.shopify.com/s/files/1/0437/1356/0727/files/xozud.pdf
    • https://cdn.shopify.com/s/files/1/0434/3001/9229/files/rededoxokedosapizorizuxu.pdf
    • https://cdn.shopify.com/s/files/1/0433/9823/4270/files/gerekajise.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/81397135942.pdf
    • https://cdn.shopify.com/s/files/1/0429/6425/4883/files/70906853155.pdf
    • https://cdn.shopify.com/s/files/1/0433/6012/5080/files/diwoladekop.pdf
    • https://cdn.shopify.com/s/files/1/0429/0537/0787/files/movelumunotojovilad.pdf
    • https://cdn.shopify.com/s/files/1/0429/9004/3285/files/7390775150.pdf
    • https://cdn.shopify.com/s/files/1/0438/1717/3152/files/pegenadite.pdf
    • https://cdn.shopify.com/s/files/1/0431/7279/0428/files/73086896008.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071f8.bin
d57ccfcdf6e8f109adba30c44e59620c24b08b2c4ba07ab13b4a7be4bb5a3d5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71F8 5072 bytes
font_01_sfnt_off00008336.bin
33fa4c8099a1bc98b83a9f7ac02b94a7f491ac78039983eeaeffe55ad861fed7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8336 10636 bytes
font_02_sfnt_off0000a7c1.bin
bf8f9ece8d9d74ce2d7a98a07ee1bb8f4056faf702b3b1702118181e85f1b939		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7C1 16312 bytes
font_03_sfnt_off0000bd4c.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD4C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.