Malicious PDF — malware analysis report

Static analysis result for SHA-256 075e27422e3b8737…

MALICIOUS

PDF

39.1 KB Created: 2020-08-18 21:59:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1701eb78fd17912359d62fe62af3bfd0 SHA-1: 673512b2e328f78e1c42acf2291fbd2942df8961 SHA-256: 075e27422e3b8737e5c235b357bc1b1e2ff8ec62e64c3e7a114d8c6381f152a9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm and a specific malicious redirector URL, suggesting an attempt to drive traffic to potentially harmful content. The document body, though heavily obfuscated, contains text related to 'sports live tv v2 apk free' and the malicious URL, indicating a lure for users to download software. The presence of multiple embedded URLs, including a known malicious redirector, strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=sports+live+tv+v2+apk+free
    • http://koziret.gertrudefashions.com/uploads/1/3/1/1/131164312/lutuf.pdf
    • http://files.boxesss.com/uploads/1/3/0/9/130969322/wigisogudijimaf.pdf
    • http://files.alisonwunderland.com/uploads/1/3/1/4/131452997/rugipixodeweba-kopov-tuluku.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0427/9091/2159/files/2551995386.pdf
    • https://cdn.shopify.com/s/files/1/0438/8824/6936/files/atmega328p_schematic.pdf
    • https://cdn.shopify.com/s/files/1/0431/3110/9540/files/jilofosaboreberijexusi.pdf
    • https://cdn.shopify.com/s/files/1/0437/2476/7400/files/86518186764.pdf
    • https://cdn.shopify.com/s/files/1/0428/2508/9191/files/mexawuwomidatiki.pdf
    • https://cdn.shopify.com/s/files/1/0428/5893/8531/files/54396128058.pdf
    • https://cdn.shopify.com/s/files/1/0438/2176/0672/files/vizexafa.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vunususojorimit.pdf
    • https://cdn.shopify.com/s/files/1/0440/2266/1278/files/vagakivexaseribilusug.pdf
    • https://cdn.shopify.com/s/files/1/0438/4129/0397/files/home_building_plans.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000462a.bin
f1a78e88d59fec8d7e962c9bfcfb6573086537e59c7eb551effb1dc46f42e442		 pdf-font-stream PDF embedded font (sfnt) at offset 0x462A 5252 bytes
font_01_sfnt_off00005820.bin
e5ca683939207be4294a5e45f9672f98d00028172145303cb31c9b48d6940599		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5820 9764 bytes
font_02_sfnt_off000079d6.bin
f2bd4c6fc91f8deac8cf20c59d32b90de5c04884fa2a16156a7bf6c1ca40c062		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79D6 16520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.