Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bf0ccd964546a36…

MALICIOUS

PDF

100.0 KB Created: 2020-07-29 13:28:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a74c904b4913b0ce4b77ada35a35f30b SHA-1: d0a6988ae8fd5256f098a25b08d8e05ddfa18e8a SHA-256: 0bf0ccd964546a36b7a3af1bbf09406756199b2c6208745665e56e48b254b9c7
234 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of links to other PDFs, masquerading as a resource for legal documents. This is indicative of an SEO link farm used to distribute malicious content, likely as part of an advance-fee scam or to distribute malware. The presence of a malicious redirector link further supports this assessment. No scripts were extracted, but the document structure and heuristics point towards a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=insolvency+and+bankruptcy+code+2020+pdf+download
    • http://files.delriohispanicchamber.org/uploads/1/3/0/9/130969772/fikoweko.pdf
    • http://files.estellessweetitchblankets.com/uploads/1/3/1/4/131409170/tixavaxanepuluxuvit.pdf
    • http://files.nsksstaffers.com/uploads/1/3/1/6/131606563/758bbd.pdf
    • http://files.crazyabtcupcakessd.com/uploads/1/3/0/7/130775150/fufoxinaxe-serizawa.pdf
    • http://files.elasticfive.com/uploads/1/3/1/3/131379296/4661483.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/3197/0460/files/49537916793.pdf
    • https://cdn.shopify.com/s/files/1/0437/6998/7221/files/dibuloso.pdf
    • https://cdn.shopify.com/s/files/1/0431/8176/8872/files/wuneven.pdf
    • https://cdn.shopify.com/s/files/1/0433/4449/4750/files/43211878961.pdf
    • https://cdn.shopify.com/s/files/1/0434/7671/3637/files/27331659929.pdf
    • https://cdn.shopify.com/s/files/1/0430/4017/8333/files/25599227962.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/43692268827.pdf
    • https://cdn.shopify.com/s/files/1/0430/8851/1130/files/tofefefesenu.pdf
    • https://cdn.shopify.com/s/files/1/0431/0515/7282/files/libogogoxazib.pdf
    • https://cdn.shopify.com/s/files/1/0429/1674/1286/files/redibofixogufad.pdf
    • https://cdn.shopify.com/s/files/1/0430/1104/7575/files/17631116110.pdf
    • https://cdn.shopify.com/s/files/1/0428/8770/8825/files/43482416508.pdf
    • https://cdn.shopify.com/s/files/1/0428/5261/4311/files/78930996406.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014b45.bin
2cf3ae8a3ada47f814fa816b73c0fb1dca95ec6f2eecf34999f1e546114e7d1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B45 5652 bytes
font_01_sfnt_off00015ea8.bin
e4e383bb66c5f892cf4d78d0b13fb3b45a3e0aa92b3a7d155d3bf46ecd6577ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15EA8 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.