Malicious PDF — malware analysis report

Static analysis result for SHA-256 03ea815f66a7e18d…

MALICIOUS

PDF

42.6 KB Created: 2020-09-04 02:03:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04e5e02b6dac3c0cf44179ba03aa4711 SHA-1: 3f1fc362d992c4d46b327e6cb958b1ac473b3c27 SHA-256: 03ea815f66a7e18d09d496bd6686a091c7402edd3243a1a5dd2f892070a146d3
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a link farm and a critical heuristic firing for a malicious redirector, specifically pointing to a KMS activator lure. The document body, though heavily obfuscated, contains the same lure and a URL. Additionally, a heuristic indicates instructions to disable security software, which is a common tactic to facilitate further malicious activity. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=kms+activator+windows+7+64+bit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static.usrfiles.com/ugd/4fea5c_ce19c42995cd4b73ba8fbf1206e0399b.pdf
    • https://static.usrfiles.com/ugd/b8c837_0cbffd95719a48abb4eb29ecff715736.pdf
    • https://static.usrfiles.com/ugd/4b874d_3984c5d6cdba4bafa62e295028cbc5a3.pdf
    • https://static.usrfiles.com/ugd/c83fdb_83f922ea90df46968418e8fd1ad8979a.pdf
    • https://static.usrfiles.com/ugd/a01749_ddb14862d5334c8d855e5c6ae236a813.pdf
    • https://static.usrfiles.com/ugd/a13bc2_7b6314ade26d47fb956c6d993a5b2abf.pdf
    • https://static.usrfiles.com/ugd/b8c837_965c8c0373814048ad8d9eb9b11ac205.pdf
    • https://static.usrfiles.com/ugd/b48b60_7c5f7634bd1c49cc85fed42584c47605.pdf
    • https://static.usrfiles.com/ugd/943725_1a0793573b39488bb81ad67660e5f001.pdf
    • https://static.usrfiles.com/ugd/b8c837_236f357a6a844886b6b9d1d0f9d061e1.pdf
    • https://static.usrfiles.com/ugd/8ba634_407b43d232dd4b958ca4d8409dd54799.pdf
    • https://static.usrfiles.com/ugd/08fe48_ccd68a1b5c3c45b491d81dfcf976e05d.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/domamusuvusuzexi.pdf
    • https://cdn.shopify.com/s/files/1/0430/6065/8333/files/67825975097.pdf
    • https://cdn.shopify.com/s/files/1/0432/7017/6932/files/bobby_singer_s_guide_to_hunting.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b08.bin
34bd206f2c0148cb05a87cd9077dded06a0a70a55e9e6f99203bdc07d0cad01f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B08 5304 bytes
font_01_sfnt_off00006d0a.bin
56501ec7970eb354531eee5d03e0f5faa5c610b619890bc41f7a0e7bf0ffae92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D0A 10044 bytes
font_02_sfnt_off00008f6d.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F6D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.