Malicious PDF — malware analysis report

Static analysis result for SHA-256 0aab945244ce17a2…

MALICIOUS

PDF

50.3 KB Created: 2020-08-18 22:06:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: df7f1af842cae9f1f657a375f51119c3 SHA-1: 0e74917310f4e894c0179b9d91c33db256f92bf2 SHA-256: 0aab945244ce17a21d017ac85ac9433cdb4a1b8dd01a5457292dfc701dcfab1c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a link farm and a primary malicious redirector URL, suggesting a phishing or scam attempt. The document body, though garbled, includes text related to 'kyc form' and the malicious URL, indicating an attempt to lure the user into clicking the link. The presence of numerous Shopify links, many flagged as benign, likely serves to obscure the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=asclepius+wellness+pvt+ltd+kyc+form
    • http://files.lakewoodactivities.com/uploads/1/3/1/3/131380480/relineta_wojabomakuj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/17721531589.pdf
    • https://cdn.shopify.com/s/files/1/0428/9118/2243/files/niwumafaxuwuz.pdf
    • https://cdn.shopify.com/s/files/1/0427/6197/8023/files/96932477141.pdf
    • https://cdn.shopify.com/s/files/1/0437/0812/1242/files/sivuvina.pdf
    • https://cdn.shopify.com/s/files/1/0432/1673/2320/files/xilopuneko.pdf
    • https://cdn.shopify.com/s/files/1/0429/3050/3843/files/everything_i_never_told_you_novel.pdf
    • https://cdn.shopify.com/s/files/1/0459/2366/4039/files/lifakaduluga.pdf
    • https://cdn.shopify.com/s/files/1/0430/6688/4250/files/que_es_contexto_comunitario.pdf
    • https://cdn.shopify.com/s/files/1/0440/8714/8709/files/53840888764.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057b6.bin
d05365aef683aeb1715e9b18e91837dea5753c24701c9ec48e6ff6a83f1c8d10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57B6 5400 bytes
font_01_sfnt_off00006a18.bin
b91f3c26f37c28538ed09035cbea6f9221827f1e30b50c452f08cc820bcc167b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A18 3720 bytes
font_02_sfnt_off00007573.bin
1d4b5b3f416f7f9930e1947ac5a22cd9be77505ceb826eaa9128907d67c3d22f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7573 3308 bytes
font_03_sfnt_off00008337.bin
970796b00d9c776493887746c8f4bf3ffd9ebfb393144c990f7efc92d8c50b99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8337 10264 bytes
font_04_sfnt_off0000a675.bin
c41fc46809d2260d2d1a821cef6bb00dae560fdbad380da94a93f29d012df54e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA675 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.