Malicious PDF — malware analysis report

Static analysis result for SHA-256 032fa510b8f56f33…

MALICIOUS

PDF

47.5 KB Created: 2020-08-01 19:25:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0c29fe9e9bd644b2b67461238be4d6da SHA-1: 03865ebf276a9c8c5e92b43baeec53b865cb4d9a SHA-256: 032fa510b8f56f33428def53da252acf9c8761145d7c07254023a68124ff88d9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, which is likely intended to lead the user to a phishing or malware distribution site. The document body, though heavily obfuscated, contains the same URL, suggesting it is the primary lure. The presence of numerous other PDF links, many hosted on seemingly unrelated domains, indicates a link farm designed to obscure the malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ark+ghillie+suit
    • http://files.jessicaluni.com/uploads/1/3/0/7/130738819/dudivuva.pdf
    • http://files.nolapaintersdbr.com/uploads/1/3/1/4/131454620/ade1aad4a72b78.pdf
    • http://files.celebraterecoverycb.com/uploads/1/3/0/7/130775143/xuzasobafavad-zutovatovowatal.pdf
    • http://files.emmanuelfrancis.org/uploads/1/3/1/8/131856353/bajaweda.pdf
    • http://files.biolutionresources.com/uploads/1/3/1/4/131409574/3265164.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://cdn.shopify.com/s/files/1/0431/4864/0418/files/wurevikugogosuzoduku.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gegexovikorojirokelaxedu.pdf
    • https://cdn.shopify.com/s/files/1/0430/6845/7122/files/foworo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/10699911966.pdf
    • https://cdn.shopify.com/s/files/1/0429/5249/1159/files/sepinoge.pdf
    • https://cdn.shopify.com/s/files/1/0432/6745/7188/files/16698097111.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/49816413057.pdf
    • https://cdn.shopify.com/s/files/1/0434/6803/0102/files/81338536969.pdf
    • https://cdn.shopify.com/s/files/1/0439/1269/1867/files/73462884338.pdf
    • https://cdn.shopify.com/s/files/1/0436/8665/8213/files/8913882864.pdf
    • https://cdn.shopify.com/s/files/1/0437/1097/2056/files/xuduwemad.pdf
    • https://cdn.shopify.com/s/files/1/0431/4519/9767/files/57211502131.pdf
    • https://cdn.shopify.com/s/files/1/0435/5234/2184/files/zadupurogawedimar.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ddb.bin
5c8794f9e2f899e1f3285a897ba4cdc1081993f6adcaef4ea72f39c487309fc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DDB 4792 bytes
font_01_sfnt_off00007e20.bin
58b4873d33ac9fffaf45ed1a2312b8eb5fadf3b067e77f8cfe9e87095f6a7717		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E20 6068 bytes
font_02_sfnt_off00008dd1.bin
ee68d5b0922c9c7789d269532f5cd06b1bbea733707eb42add29a1159517b81a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DD1 10104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.