Malicious PDF — malware analysis report

Static analysis result for SHA-256 0aa823883cc1724c…

MALICIOUS

PDF

55.0 KB Created: 2020-08-11 14:01:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ea5ab64699d09b416e7f8994356304f7 SHA-1: 96a0bb1a7733d7b2d0bafac7e156303bc1752177 SHA-256: 0aa823883cc1724ca10a47d7fb389a02b29c440a74ec0a30813c4f01e0a3167c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with at least one pointing to known malicious redirector infrastructure. The ML classifier also strongly indicated maliciousness. While no scripts were explicitly extracted, the presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic suggest an attempt to lure users to malicious sites, likely as part of a phishing or scam campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=cerfa+02+pdf
    • http://files.downriverkaraokeanddj.com/uploads/1/3/1/6/131606876/bdd09559b60a130.pdf
    • http://files.destined2wed.voyagerwebsites.com/uploads/1/3/0/7/130775009/gugewixuzi.pdf
    • http://files.hopecm.org/uploads/1/3/1/8/131856257/c8d89b9a.pdf
    • http://files.scottrobesoncustomwood.com/uploads/1/3/2/6/132695596/13ef5581e7b94.pdf
    • http://files.wstudio516.com/uploads/1/3/2/6/132681836/796d1323.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0435/7583/6835/files/introduction_to_structural_dynamics_and_aeroelasticity_download.pdf
    • https://cdn.shopify.com/s/files/1/0434/2631/6455/files/immunisation_schedule_qld_2020.pdf
    • https://cdn.shopify.com/s/files/1/0431/3723/7146/files/vemivarixadifenob.pdf
    • https://cdn.shopify.com/s/files/1/0431/1344/7584/files/38511413957.pdf
    • https://cdn.shopify.com/s/files/1/0439/7550/8126/files/converter_to_word_online_full.pdf
    • https://cdn.shopify.com/s/files/1/0427/8334/2748/files/lexitolemepol.pdf
    • https://cdn.shopify.com/s/files/1/0440/5932/8662/files/48653937936.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tovetutokukike.pdf
    • https://cdn.shopify.com/s/files/1/0429/6392/7206/files/6562282351.pdf
    • https://cdn.shopify.com/s/files/1/0433/9345/0134/files/cessna_172_weight_and_balance_form.pdf
    • https://cdn.shopify.com/s/files/1/0432/7607/5164/files/12059171198.pdf
    • https://cdn.shopify.com/s/files/1/0427/9923/5228/files/circulatory_system_worksheet_grade_5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075d5.bin
c8b182b60023e312c85afbc5701e1691fda7f1eaae6943916883a3d21c91f3b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75D5 5004 bytes
font_01_sfnt_off000086dd.bin
a4819ace0c68aea95bbe756288e19462c7f99d9feecd8c208b1fc591cd21e6da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86DD 2464 bytes
font_02_sfnt_off000091b9.bin
0814f05e47875de1c21d8e24b664f6b83dfd82d83d4170e7b33d0427bfa0d3b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91B9 11888 bytes
font_03_sfnt_off0000b757.bin
aad9bc0f36eadc3314e08670b59090120051e308b357201f134af3d0b781b2b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB757 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.