Malicious PDF — malware analysis report

Static analysis result for SHA-256 0dc414ca86430263…

MALICIOUS

PDF

67.5 KB Created: 2020-08-02 15:28:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e98710b2194c602ca1b917f4ba289492 SHA-1: 9937dce684ea0be9f0ca8acb32792afbe1a23349 SHA-256: 0dc414ca864302638ead7f3a2c8e8bfe9553d91bf7378e3108c2c1f7960d6628
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains the malicious URL and references to SEO link farming. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the presence of embedded URLs and the redirector suggest an attempt to lead the user to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=flipping+table+emote
    • http://files.mrmichaelmccloskey.com/uploads/1/3/2/8/132816096/bee27f.pdf
    • http://files.toacarving.com/uploads/1/3/1/3/131384575/forezevufut-weloxiza-losiputoka-wexixasid.pdf
    • http://files.a-senseofplace.com/uploads/1/3/2/3/132302824/e7d968.pdf
    • http://files.newenergycreator.com/uploads/1/3/2/7/132740378/pazadib.pdf
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.thdl.org/http://www.thdl.org/Tibetan
    • https://cdn.shopify.com/s/files/1/0430/6498/3703/files/14087713156.pdf
    • https://cdn.shopify.com/s/files/1/0429/9263/1962/files/32296071123.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/78992801071.pdf
    • https://cdn.shopify.com/s/files/1/0428/8974/0441/files/32844405227.pdf
    • https://cdn.shopify.com/s/files/1/0437/6628/4446/files/51630262819.pdf
    • https://cdn.shopify.com/s/files/1/0438/3434/3574/files/79048275800.pdf
    • https://cdn.shopify.com/s/files/1/0432/5156/4707/files/videxetisusajipot.pdf
    • https://cdn.shopify.com/s/files/1/0431/7328/1948/files/mabokuripunegilomabebivo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/85155057715.pdf
    • https://cdn.shopify.com/s/files/1/0440/8072/6168/files/wenanomerutefabigoguvogu.pdf
    • https://cdn.shopify.com/s/files/1/0431/4277/4935/files/robifiduraze.pdf
    • https://cdn.shopify.com/s/files/1/0433/9872/5793/files/87504941269.pdf
    • https://cdn.shopify.com/s/files/1/0432/1135/8369/files/fallen_london_appalling_secrets.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.htmlTibetan
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000a32d.bin
c28d5071b0547276da6ca2d4d172d93563d427254981a5f24e3c3dec54a010cc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA32D 2196 bytes
font_00_sfnt_off0000690f.bin
c8f4b0e6e60d4169f908d770e8717615a5a4e02c6e297d1989c8f6e69f4a05bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x690F 6872 bytes
font_01_sfnt_off000080a4.bin
abb32fcba250b17951795056fa4e3e7528bb18a5c8b96d30a16234504ad16777		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80A4 4960 bytes
font_02_sfnt_off0000917e.bin
460db12ad75d5a19b4e283d91d342810f8890c1c2ba0639a5b9c9a750e00566c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x917E 8904 bytes
font_04_sfnt_off0000ad45.bin
962ac5bdd3a2071a84364cde2a08c0f006c0c628c239469ba5febf8013587a3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD45 16040 bytes
font_05_sfnt_off0000e05c.bin
d20775720035d3474dd098b2990adc6cb38a4acc45d1ba64307cb36866cb63ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE05C 18412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.