Malicious PDF — malware analysis report

Static analysis result for SHA-256 03104e53500eb948…

MALICIOUS

PDF

98.3 KB Created: 2020-09-01 12:40:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bfbca14cd9228eeeddb582b5c2846d23 SHA-1: b55f299a257d086829845b3e1523f4769226d794 SHA-256: 03104e53500eb9484de58bae0d56c612f20a2c202c41f048350b871087860cc5
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text that suggests a lure for an advance-fee scam, supported by the SE_ADVANCE_FEE_SCAM_LURE heuristic. The ML classifier also strongly indicates maliciousness. The primary IOC is the malicious redirector URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=hyundai+avante+xd+2000+manual+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0434/9352/3618/files/wacom_tablet_not_working_mac.pdf
    • https://cdn.shopify.com/s/files/1/0437/5022/8119/files/69017753816.pdf
    • https://cdn.shopify.com/s/files/1/0439/4670/5051/files/wemar.pdf
    • https://cdn.shopify.com/s/files/1/0433/2729/1542/files/tujene.pdf
    • https://static.usrfiles.com/ugd/e3ff21_7848ae9da50a4dbc95b1de8851234b88.pdf
    • https://static.usrfiles.com/ugd/b8c837_89cc82cb06bd47df83cc7842ad9e5c91.pdf
    • https://static.usrfiles.com/ugd/fa6f14_372a4e9179cf47ce85a53bb3f2428a2d.pdf
    • https://static.usrfiles.com/ugd/33a16d_3aefca7feb5b4ea48dcf5124b914e58e.pdf
    • https://static.usrfiles.com/ugd/078c79_69a797eb84944326a18db9dcb2743330.pdf
    • https://cdn.shopify.com/s/files/1/0433/7935/9900/files/98067610817.pdf
    • https://cdn.shopify.com/s/files/1/0429/5645/6095/files/71855321949.pdf
    • https://cdn.shopify.com/s/files/1/0431/0935/1578/files/definicion_de_anexos.pdf
    • https://static.usrfiles.com/ugd/b8c837_7a39722e76d24cc19e2254edd26c2a7e.pdf
    • https://static.usrfiles.com/ugd/55cc32_7a42add8e8cf41c288246a0741712c66.pdf
    • https://static.usrfiles.com/ugd/41f880_ffd1bc4817e7479f80c82fd7b8a0d2e6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001063b.bin
162bfecca1f05065096f81106aa26cca76352f53e71f44b64d72348987fdd79a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1063B 4792 bytes
font_01_sfnt_off00011715.bin
24a1a2e65e6b2c63f053926b5601b0e8008d677527be0ec6a5b7a26a1fd06730		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11715 5148 bytes
font_02_sfnt_off00012888.bin
aa63c74882b865ed60039162b85ca26a293f65badc6b3eed6d588cc1e79505ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12888 15340 bytes
font_03_sfnt_off00015890.bin
713933360072c9d59346590fad668f98c3603c6d2b72ed941ce85481f6af0b74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15890 16060 bytes
font_04_sfnt_off00016d22.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16D22 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.