Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bf0368d828f93ea…

MALICIOUS

PDF

48.0 KB Created: 2020-09-18 21:16:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a99c6f4c6981fe100e7ee801d646e27 SHA-1: c4620a9518221eb35078232225b6d9b3c8fd65ba SHA-256: 0bf0368d828f93ea432436eb7c29ccddfeb4a8b438d6c5eca1052ef4b9e6782b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, one of which points to a known malicious redirector. The document body, though heavily obfuscated, contains text suggesting a lure related to a 'business meme generator' and includes the malicious URL. The presence of numerous external PDF links, many hosted on Shopify, suggests a link farm or SEO poisoning tactic to distribute the malicious PDF. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=business+meme+generator
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0435/6436/8021/files/60968391749.pdf
    • https://cdn.shopify.com/s/files/1/0463/2569/4619/files/dojoziboduwatebo.pdf
    • https://cdn.shopify.com/s/files/1/0431/7632/9373/files/gujajapikomo.pdf
    • https://cdn.shopify.com/s/files/1/0434/5842/9078/files/beko_asd241s_american-_style_fridge_freezer_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/3937/5012/files/vegakafinodesutujasumuk.pdf
    • https://cdn.shopify.com/s/files/1/0437/0608/9640/files/physics_5th_edition_halliday_resnick_krane.pdf
    • https://cdn.shopify.com/s/files/1/0436/0064/2211/files/23643584436.pdf
    • https://cdn.shopify.com/s/files/1/0433/6726/8517/files/44617404177.pdf
    • https://cdn.shopify.com/s/files/1/0427/9821/9420/files/diary_of_a_madman_nikolai_gogol.pdf
    • https://cdn.shopify.com/s/files/1/0430/6980/0597/files/noveke.pdf
    • https://ae691697-3cdc-4ca8-9f29-3eea23e197aa.filesusr.com/ugd/5ccfc8_3b4e232fee5c412db32cbbedec0ef953.pdf?index=true
    • https://cc38f40e-dc8c-44d3-a5b8-246cffeb4528.filesusr.com/ugd/08fe48_ebc86d20987547618cc106180e8495ed.pdf?index=true
    • https://3a262a65-5093-42ce-90a6-3d5e88118142.filesusr.com/ugd/592671_6eca398ce69446b69cb6fee7d378a2c3.pdf?index=true
    • https://cb750f64-0834-44a3-a702-7959a350d941.filesusr.com/ugd/74e9cf_152cdf54e2494afb9157529970a5b29d.pdf?index=true
    • https://cd541e8d-261d-4e4b-b630-55ff945e320b.filesusr.com/ugd/3826db_b2cb21020f4a400184995b46b7c94383.pdf?index=true
    • https://1963e425-9207-4f28-96cb-ff1fb791d515.filesusr.com/ugd/d31907_5dfa5b967bd34506a1d8d22dfe4c768d.pdf?index=true
    • https://084f1f13-ac60-4cbc-9413-67f199971c0c.filesusr.com/ugd/f1c748_c32894d1aec84081adb71207d5eea4af.pdf?index=true
    • https://c4992c82-07f7-4959-93bd-fb3c488f1e3f.filesusr.com/ugd/ca32a8_84cc89d245cc47f0906b17d11735f7b2.pdf?index=true
    • https://0d2131a5-8a6a-4b75-96a9-dcc6c35ed718.filesusr.com/ugd/c75f60_469b084b60cc4a50881c8f5195f6fd89.pdf?index=true
    • https://ec7d5e77-00c0-4a30-b8ea-88def8ab8879.filesusr.com/ugd/eb6612_990241b926ab448e89c3fa275371c006.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000666d.bin
0012bf76d623a1ffef03145914105fc719a0afe2a4e5dd8424780671b6982593		 pdf-font-stream PDF embedded font (sfnt) at offset 0x666D 4904 bytes
font_01_sfnt_off000076ef.bin
4625e796748b575568e8d7bdaf9b529ac73c3d4a97bbbd31721be51ea0c2d7e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76EF 2108 bytes
font_02_sfnt_off000080be.bin
7f0525eaaea7cb5ff4ae9393c1dd71ea8726798821989a0b8cdff32bab85c99d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80BE 10408 bytes
font_03_sfnt_off0000a46c.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA46C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.