Malicious PDF — malware analysis report

Static analysis result for SHA-256 0aa2fdc675bf414b…

MALICIOUS

PDF

90.4 KB Created: 2020-08-24 02:45:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ed72cdf1f55bab2b3fdaffe3ed74fcad SHA-1: c8e75e71cea6f2299605bbc31b3158abd8965c01 SHA-256: 0aa2fdc675bf414bc9767c262835391fa639ae39682a4028b7a19e43ca73c66b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded links that point to a known malicious redirector, indicating an attempt to lure users to malicious sites. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains URLs that are consistent with a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=issb+test+guide+book
    • http://ritotoz.asianairspace.com/uploads/1/3/0/7/130740257/3913968.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0432/0254/3778/files/avidemux_for_windows_10.pdf
    • https://cdn.shopify.com/s/files/1/0430/1609/3849/files/41560443585.pdf
    • https://cdn.shopify.com/s/files/1/0429/1218/6531/files/kudapenofigak.pdf
    • https://cdn.shopify.com/s/files/1/0432/9907/8299/files/wurebodemedizeli.pdf
    • https://cdn.shopify.com/s/files/1/0432/3917/8399/files/medical_lab_technician_resume.pdf
    • https://cdn.shopify.com/s/files/1/0432/1335/7214/files/zatorixokefizinosilutol.pdf
    • https://cdn.shopify.com/s/files/1/0431/3976/0285/files/cs_first_login.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mipin.pdf
    • https://cdn.shopify.com/s/files/1/0431/7066/0508/files/sunifuwofovag.pdf
    • https://cdn.shopify.com/s/files/1/0435/1806/6843/files/67950666419.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011d25.bin
8417c1f576987223d63907d907643097c5826b723e2084e650b43267d4f7a704		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D25 4796 bytes
font_01_sfnt_off00012d84.bin
d3e5443385667c0c81dc72eefb8d03aed726ca8bd396730e800e57b58bd060f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D84 15380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.