Malicious PDF — malware analysis report

Static analysis result for SHA-256 13259aa47d2a036c…

MALICIOUS

PDF

41.5 KB Created: 2020-08-02 17:31:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45695ad3440ba6c1058ef74fa88fc0e0 SHA-1: 17f4a4d152cbb68227ad71d8057864451db2f03b SHA-256: 13259aa47d2a036cd1c8323ae70448593702eab922d47475b90c287b4eaee0e9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one critical heuristic identifying a link to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text that appears to be a lure for a "craftsman chainsaw manual". The presence of many external PDF links suggests a link farm or SEO poisoning attempt to drive traffic to malicious sites. No scripts were extracted, but the primary attack vector appears to be directing users to malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=20%20craftsman%20chainsaw%20manual
    • http://files.kellyharkinsdesigns.com/uploads/1/3/1/8/131856039/tanifatexoziwo_kowaxososenezi_napelibapuda.pdf
    • http://files.rocksfestivals.com/uploads/1/3/1/4/131406149/rodaweripogatipiteb.pdf
    • http://files.alisapoplavskaya.com/uploads/1/3/0/8/130874338/jureginelebubi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/6148/5471/files/54484109827.pdf
    • https://cdn.shopify.com/s/files/1/0431/8658/5749/files/zefibuxevaworakugo.pdf
    • https://cdn.shopify.com/s/files/1/0430/2585/8714/files/fuwubufufirarisad.pdf
    • https://cdn.shopify.com/s/files/1/0431/2468/7014/files/nabanonejuvan.pdf
    • https://cdn.shopify.com/s/files/1/0428/9619/5737/files/dosesoxute.pdf
    • https://cdn.shopify.com/s/files/1/0432/3511/5176/files/tetovuxufupifogeja.pdf
    • https://cdn.shopify.com/s/files/1/0433/3862/9270/files/8764702695.pdf
    • https://cdn.shopify.com/s/files/1/0432/5317/0339/files/rujadudumevipu.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/69143450337.pdf
    • https://cdn.shopify.com/s/files/1/0433/4632/9750/files/21910438118.pdf
    • https://cdn.shopify.com/s/files/1/0429/0281/4876/files/rorawilabofotefitab.pdf
    • https://cdn.shopify.com/s/files/1/0431/3900/6632/files/880896852.pdf
    • https://cdn.shopify.com/s/files/1/0432/8783/8886/files/45680855278.pdf
    • https://cdn.shopify.com/s/files/1/0431/7973/7237/files/93748884162.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006479.bin
334be5520c9b722d786cbf73375af24bd5fedfef1cb5eb6290c6670afe57b7e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6479 5392 bytes
font_01_sfnt_off000076b4.bin
cf5c21190dc68cbbf4e486e8f44c81d86a6cc022c8eec82c05e203dc3697309b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76B4 10168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.