Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e2e416452a16f99…

MALICIOUS

PDF

49.2 KB Created: 2020-07-30 15:40:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6f49772c41ed339ced114e9a8708851 SHA-1: e83dfd019603efc12f5d3b6394ad43ba2b98d805 SHA-256: 0e2e416452a16f992a1eccb003bc3c0da6100ccfe4d158a60482d7c6d9c26076
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to redirector infrastructure or link farms, suggesting an attempt to drive traffic to malicious sites. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and the presence of numerous Shopify-hosted PDFs indicate a pattern of SEO-based link manipulation. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document may be part of a multi-stage attack, potentially intended to bypass initial security scans.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ejercicios+numeros+romanos+1+eso+resueltos+pdf
    • http://files.graceub.com/uploads/1/3/2/6/132681404/6733747.pdf
    • http://files.myredhairedauntie.shop/uploads/1/3/1/4/131409017/jejolag.pdf
    • http://files.lesbiansinfleeces.com/uploads/1/3/2/6/132696171/xuxulikalagu_benuworoza.pdf
    • http://files.coachtoexpectsuccess.com/uploads/1/3/1/3/131384145/4c1bc76.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0435/9664/4511/files/namuwadaburu.pdf
    • https://cdn.shopify.com/s/files/1/0441/2522/5112/files/gunufute.pdf
    • https://cdn.shopify.com/s/files/1/0432/6470/4662/files/16843148947.pdf
    • https://cdn.shopify.com/s/files/1/0427/9071/5548/files/29079025936.pdf
    • https://cdn.shopify.com/s/files/1/0431/2226/2178/files/52962151972.pdf
    • https://cdn.shopify.com/s/files/1/0433/9888/9635/files/38937154904.pdf
    • https://cdn.shopify.com/s/files/1/0429/9577/7699/files/41527155679.pdf
    • https://cdn.shopify.com/s/files/1/0429/6248/5407/files/goxekitusaxive.pdf
    • https://cdn.shopify.com/s/files/1/0428/5811/9334/files/74897390121.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dokole.pdf
    • https://cdn.shopify.com/s/files/1/0437/7644/2519/files/vujivuniwenufuxitex.pdf
    • https://cdn.shopify.com/s/files/1/0429/7788/6367/files/kodemujeseguxi.pdf
    • https://cdn.shopify.com/s/files/1/0436/9213/0458/files/seputugexutoxarazimil.pdf
    • https://cdn.shopify.com/s/files/1/0428/1755/2543/files/dejabeponiweturilizejivag.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007cb5.bin
04e9401fc8874a109842583e1888254ed752e6788bea12d44e591fcabde7a263		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CB5 5268 bytes
font_01_sfnt_off00008e84.bin
22a99f00eba3c4a0dbdbbdbda197caf36a2716a371687e7afe8a27b3cf02bf36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E84 12004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.