Malicious PDF — malware analysis report

Static analysis result for SHA-256 11bb6c49e059de52…

MALICIOUS

PDF

53.5 KB Created: 2020-07-26 11:37:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1584a462c06e064c673f8db28184fbf3 SHA-1: 8e5d514e2384a037d2760bb2348370ed412204ef SHA-256: 11bb6c49e059de52358fdc0f906b0398656f5c1b75375267c96cf4f094e0edcb
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, many pointing to what appears to be a link farm, with one prominent link leading to a known malicious redirector. The ML classifier strongly indicates maliciousness. While no scripts were extracted, the presence of a malicious redirector suggests an attempt to lead the user to a malicious site, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=camille+build+guide
    • http://files.itchyfeetfamily.com.au/uploads/1/3/1/3/131382841/riniwifezadezu_nugitaveli_zikemogawilalo_mawamaradukimet.pdf
    • http://files.stoptraffickingtoday.com/uploads/1/3/2/7/132740415/b649a46.pdf
    • http://files.tranbcreative.com/uploads/1/3/2/7/132740498/8280803c27.pdf
    • http://files.bookpod.com.au/uploads/1/3/0/9/130969659/burasumejasibu-kefup-titexerite.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/benivat.pdf
    • https://cdn.shopify.com/s/files/1/0435/1574/0312/files/37576784248.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/99839510681.pdf
    • https://cdn.shopify.com/s/files/1/0429/7408/5279/files/59215768064.pdf
    • https://cdn.shopify.com/s/files/1/0430/7622/3129/files/33418315377.pdf
    • https://cdn.shopify.com/s/files/1/0432/2800/4507/files/40493434854.pdf
    • https://cdn.shopify.com/s/files/1/0431/0840/1316/files/mimezomovupukusosinixo.pdf
    • https://cdn.shopify.com/s/files/1/0431/0843/4077/files/wemuluxipixejaroxexi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/32773531818.pdf
    • https://cdn.shopify.com/s/files/1/0427/5562/1031/files/69394116682.pdf
    • https://cdn.shopify.com/s/files/1/0436/2141/7123/files/velotawidikisamalubipizax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007354.bin
791ebf3d7a1c36e16d407dfe1015092b47cd0920d8b2f980cb10a02576682e44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7354 4620 bytes
font_01_sfnt_off000082fc.bin
34afaf07fab7d82780ac1524793633fc69f86dc5d8f79afe8cd8bb635e5c5c65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82FC 2700 bytes
font_02_sfnt_off00008e8d.bin
78c8d24dff99e09f6f611ba2f6339d02f79ef6c6ce7df18569e338b3f3f7e38f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E8D 10848 bytes
font_03_sfnt_off0000b3a5.bin
caea212bfaaf2897f4851770f673d25c90b0e412378cb4b0d6f36fafa9739068		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB3A5 16072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.