Malicious PDF — malware analysis report

Static analysis result for SHA-256 045e59ddf4c73bb0…

MALICIOUS

PDF

50.3 KB Created: 2020-08-24 14:49:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75f032440a9c273b44ebbbf850430e82 SHA-1: bc9523992f87d16c3c3f9c8f9593cf3f0f349c36 SHA-256: 045e59ddf4c73bb0d9de7aba0ecd92e42d93c91ffad5c75ed07ae6f291334ae6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to redirector infrastructure. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK specifically identified a link to traff.ru as malicious. The document body, though garbled, contains the same URL, suggesting an attempt to disguise malicious links with seemingly benign content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=allahabad+kondapuram+movie+songs++in+telugu
    • http://numadavo.gaprx340b.com/uploads/1/3/0/8/130814674/pusefujejuvabe-nalokaz-xabefojovibumuj.pdf
    • http://files.duazamzam.com/uploads/1/3/1/8/131856072/fibofegoxusuk_xibinakinuj_limad.pdf
    • http://files.sammie-smith.com/uploads/1/3/1/4/131483830/lagumurajek-bikamofidor-kekozamimal-pariwa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0462/7041/4999/files/78344126171.pdf
    • https://cdn.shopify.com/s/files/1/0431/2943/8370/files/bamokufomobipapatufoti.pdf
    • https://cdn.shopify.com/s/files/1/0434/0082/2934/files/leturadoku.pdf
    • https://cdn.shopify.com/s/files/1/0431/4864/0418/files/veworagit.pdf
    • https://cdn.shopify.com/s/files/1/0429/2293/4435/files/34875207767.pdf
    • https://cdn.shopify.com/s/files/1/0434/2287/5813/files/1011316464.pdf
    • https://cdn.shopify.com/s/files/1/0434/5046/6464/files/patofisiologi_blighted_ovum.pdf
    • https://cdn.shopify.com/s/files/1/0438/7323/9195/files/31090285146.pdf
    • https://cdn.shopify.com/s/files/1/0430/5905/2706/files/lebasofejagew.pdf
    • https://cdn.shopify.com/s/files/1/0431/5453/8656/files/wabisisofub.pdf
    • https://cdn.shopify.com/s/files/1/0433/5478/3893/files/50012084899.pdf
    • https://cdn.shopify.com/s/files/1/0434/1465/1038/files/35432868883.pdf
    • https://cdn.shopify.com/s/files/1/0435/9503/8877/files/resozamoxezot.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065bc.bin
9d2d2c82f2bb2f9ef8b6f11fc1e657c0286adcd9f83ecd5893ea16642b73b864		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65BC 3064 bytes
font_01_sfnt_off00007087.bin
ddecd3de00b42e2acb1060113f80a7476eb3550de84709c2b8a22d037401b535		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7087 5628 bytes
font_02_sfnt_off00008374.bin
6ff6e37bcaf13361adf51198379f52ec90c95d4a9e9f736a8bf8714e05845462		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8374 10180 bytes
font_03_sfnt_off0000a68e.bin
301fb2f14aa1e9a5cf8540ebf40f17e8311eb9ba756e1d76589e408feb703965		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA68E 16096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.