Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b03ebf4dde26705…

MALICIOUS

PDF

62.2 KB Created: 2020-08-17 00:13:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c0f3507e65e27082c545862e58e41e5 SHA-1: 015cec02ea4e880371eabbc7e005b25bbae3d3cd SHA-256: 0b03ebf4dde2670591d5642cfdf00f25520770f7f417872f473dfbc97ab3b773
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded links, with one identified as a malicious redirector. The ML classifier strongly indicated maliciousness. The document body, though partially corrupted, contains text that appears to be a lure, and the presence of a link farm suggests an attempt to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=can%2527+t+remember+to+forget+you+video
    • http://dupav.drbiophysics.com/uploads/1/3/1/3/131383775/5479248e1d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/8132/5987/files/dokabojufiripegaj.pdf
    • https://cdn.shopify.com/s/files/1/0438/3470/4034/files/eureka_math_grade_8_module_2_answer_key.pdf
    • https://cdn.shopify.com/s/files/1/0427/9291/1007/files/49108196582.pdf
    • https://cdn.shopify.com/s/files/1/0432/6067/4198/files/xipowakotubikomirafose.pdf
    • https://cdn.shopify.com/s/files/1/0432/3491/8558/files/xuretivapet.pdf
    • https://cdn.shopify.com/s/files/1/0437/1575/6181/files/silent_hill_2_greatest_hits_iso.pdf
    • https://cdn.shopify.com/s/files/1/0431/8252/2528/files/tuberewidoxofukizizesoke.pdf
    • https://cdn.shopify.com/s/files/1/0430/2857/8467/files/forensic_files_episode_list.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/69296453687.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a7fe.bin
00ec745c292ed74f1262b3859265972b6e683553a56d21b5d3769e10743ce7e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7FE 5256 bytes
font_01_sfnt_off0000b9df.bin
e3dad0e2a90916dbc83c0fbcc62e9755ec89145c632f0e91fd2f47d0bfc03e75		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9DF 16304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.