Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d567bb7cbcd0d3f…

MALICIOUS

PDF

45.0 KB Created: 2020-08-22 00:41:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1b9967ecbda9d1e7844f90c4b4ea1ca7 SHA-1: 5dae7738787ce7ef1556a2e4273820fc25021bf0 SHA-256: 0d567bb7cbcd0d3f630dc4ec8faa02a4c6138c01cb4874baff185e7e4fc12289
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many pointing to Shopify domains, but one critical link directs to a known malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, suggesting an attempt to manipulate search engine results or drive traffic. The ML classifier also strongly flagged this PDF as malicious. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=boulevard+des+airs+bruxelles++free
    • http://files.mybigfatjamaicanfamily.com/uploads/1/3/1/4/131455956/aaadb4e9f85.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0448/2105/3600/files/isomorphism_graph.pdf
    • https://cdn.shopify.com/s/files/1/0427/5588/3175/files/40077223805.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/gigogew.pdf
    • https://cdn.shopify.com/s/files/1/0436/5107/2158/files/nipokoxuxinezupapotofojuk.pdf
    • https://cdn.shopify.com/s/files/1/0464/7868/8408/files/26226902008.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/30106301206.pdf
    • https://cdn.shopify.com/s/files/1/0431/5388/3293/files/rofupem.pdf
    • https://cdn.shopify.com/s/files/1/0447/8205/9671/files/agreed_upon_procedures_report_pwc.pdf
    • https://cdn.shopify.com/s/files/1/0432/5382/5704/files/20466312444.pdf
    • https://cdn.shopify.com/s/files/1/0434/0056/0805/files/zojotuna.pdf
    • https://cdn.shopify.com/s/files/1/0431/7360/9636/files/88378154440.pdf
    • https://cdn.shopify.com/s/files/1/0431/2668/5850/files/african_continental_free_trade_area.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/87743453122.pdf
    • https://cdn.shopify.com/s/files/1/0434/3952/1958/files/windows_environment_variables_list.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006002.bin
3063e58c7dc428467a8b23011de858ac106d8ee3f2e457ea75a539ed753a95ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6002 4916 bytes
font_01_sfnt_off000070d2.bin
27857b7e52d1370a6320d48a68cf18d518cd49b1fb439118a4d0cf799769fa31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70D2 11996 bytes
font_02_sfnt_off00009774.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9774 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.