Malicious PDF — malware analysis report

Static analysis result for SHA-256 0823760e0438ac98…

MALICIOUS

PDF

58.1 KB Created: 2020-08-02 14:26:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8198f28c19812fef38b1ea7c9d74a3ed SHA-1: f8cc763ef94def52b3f47b4c9804420d7aff3316 SHA-256: 0823760e0438ac98ce4a47ba71c4b56cbf18083581b6057aa87cc371013fb687
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, with one identified as a malicious redirector. The ML classifier strongly flagged this PDF as malicious. Although no scripts were explicitly extracted, the presence of embedded URLs and the heuristic firings suggest the document is designed to lead the user to malicious infrastructure, likely for downloading further malware or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=is+protosmasher+safe
    • http://files.rubyannemason.com/uploads/1/3/2/6/132681062/9644593.pdf
    • http://files.bighammershields.com/uploads/1/3/2/7/132740362/709975.pdf
    • http://files.gbyws.org/uploads/1/3/1/4/131483019/paludizixi-pazibokadelok-xovubonavegazuz-nobuxudisapefod.pdf
    • http://files.globalisationandcities.com/uploads/1/3/1/6/131607174/jilaxafufusekiw.pdf
    • http://files.neurothinktank.com/uploads/1/3/1/3/131380482/6783824.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0439/7203/4718/files/5384235466.pdf
    • https://cdn.shopify.com/s/files/1/0432/7371/5880/files/xetawobokejopubiradugibu.pdf
    • https://cdn.shopify.com/s/files/1/0430/4440/5397/files/jozetanidegadosadogev.pdf
    • https://cdn.shopify.com/s/files/1/0433/1310/2998/files/xawukefulupunixod.pdf
    • https://cdn.shopify.com/s/files/1/0428/3485/4051/files/horde_leveling_zones_vanilla.pdf
    • https://cdn.shopify.com/s/files/1/0438/8713/2827/files/logitech_usb_microphones.pdf
    • https://cdn.shopify.com/s/files/1/0428/9105/1161/files/besaxe.pdf
    • https://cdn.shopify.com/s/files/1/0434/3015/0309/files/46000992217.pdf
    • https://cdn.shopify.com/s/files/1/0432/9648/9632/files/nisafubumefixajexo.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gijamibumiji.pdf
    • https://cdn.shopify.com/s/files/1/0435/5004/8420/files/82572035057.pdf
    • https://cdn.shopify.com/s/files/1/0428/4914/0902/files/60149683385.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gidawibozifuniji.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007758.bin
3645621ded0bdaeeed988564b782e1e719fadda3c6f45bff2e552ffe9fdb74ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7758 4680 bytes
font_01_sfnt_off00008728.bin
52748491b584814d0f7424ecd7250f412108e3e878caaa2ed4eafb24f964eb7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8728 2884 bytes
font_02_sfnt_off0000932d.bin
d5d77c5819d3d056c21c29f315275970826c6c30795b16876637ea299664d1dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x932D 10560 bytes
font_03_sfnt_off0000b77e.bin
64f21e55c2f29c6f605e8f9fd96e7f7b34f9b4a26fdc717ddead948457370e3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB77E 16148 bytes
font_04_sfnt_off0000cc8e.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC8E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.