Malicious PDF — malware analysis report

Static analysis result for SHA-256 08cfcf24e9d3956c…

MALICIOUS

PDF

56.1 KB Created: 2020-09-04 00:10:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a07541cd437cf34bbbaa242407bdea90 SHA-1: 50ffe2feb949615b69323fb9e59b9264beb31624 SHA-256: 08cfcf24e9d3956c05a6c8470a8faf581bd09dbf5ba829861ce49473fea2483f
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, with one pointing to a known malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, suggesting a link farm or SEO poisoning tactic. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document may be intended to trick users into downloading an archive, which would require a password provided elsewhere, likely to bypass gateway scanning.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=formacion+del+celoma+intraembrionario
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0432/0673/8079/files/lopez_lake_fish_report.pdf
    • https://cdn.shopify.com/s/files/1/0460/6728/6180/files/50254445934.pdf
    • https://cdn.shopify.com/s/files/1/0429/6350/1222/files/jewosowebami.pdf
    • https://cdn.shopify.com/s/files/1/0458/6297/7689/files/nawasunope.pdf
    • https://cdn.shopify.com/s/files/1/0427/8861/8396/files/wujizagunore.pdf
    • https://static.usrfiles.com/ugd/b8c837_9af6a01153da4800bb69aa80a8cf6f5b.pdf
    • https://static.usrfiles.com/ugd/dd4472_65ee46d5200e45499bde5156df21003e.pdf
    • https://cdn.shopify.com/s/files/1/0432/2043/5112/files/software_project_estimation_document_template.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/texigusowemojegovivek.pdf
    • https://cdn.shopify.com/s/files/1/0434/5672/5153/files/wexepuj.pdf
    • https://static.usrfiles.com/ugd/b8c837_f4b4e6ad63e74aae84127cfbd282512b.pdf
    • https://static.usrfiles.com/ugd/e5a943_da0872908fa244528dd960459a068902.pdf
    • https://static.usrfiles.com/ugd/b8c837_8c1f3fb7df974c00b7f3a8f0f9b5b514.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00007a2c.bin
eb8fc824c9cbfaace7cca861f09f87cd088db500f11b5cda623f32c8b28d18dc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7A2C 6608 bytes
font_00_sfnt_off0000694d.bin
2b986e7887f7341d04d5c231d763e1f4669e0bece29f17484c9e28df2e348ebd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x694D 5000 bytes
font_02_sfnt_off00008dc3.bin
f0dbdc961b5e712cd36d4fe67eefa86d2e7bab461898392669c9167dfd422565		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DC3 14924 bytes
font_03_sfnt_off0000bc3f.bin
301fb2f14aa1e9a5cf8540ebf40f17e8311eb9ba756e1d76589e408feb703965		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC3F 16096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.