Malicious PDF — malware analysis report

Static analysis result for SHA-256 16e7963682ec4d73…

MALICIOUS

PDF

44.8 KB Created: 2020-09-16 23:45:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 90b6d347f18c4fa4d3ba125b6003b4fa SHA-1: fd1f6820a4f7177f71f3bf516e42096d7a6c3772 SHA-256: 16e7963682ec4d730c728f5785b18b13cecaa2e781cc2f0dd17d4de1336800b4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a link to a redirector service, which is a strong indicator of malicious intent. The redirector is associated with a keyword search for 'skyvpn old version apk', suggesting a lure for users seeking specific software. The document also hosts a large number of external PDF links, many of which point to benign Shopify domains, likely as part of a link farm to improve search engine ranking for the malicious content. No scripts were extracted, but the presence of a malicious redirector and the link farm strategy indicate a phishing or potentially unwanted software distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=skyvpn+old+version+apk
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/0448/6055/files/boss_baby_blackbird_song.pdf
    • https://cdn.shopify.com/s/files/1/0431/9235/2928/files/large_file_to_word_converter.pdf
    • https://cdn.shopify.com/s/files/1/0430/0754/1401/files/gebonegotavepafevela.pdf
    • https://cdn.shopify.com/s/files/1/0432/7846/7222/files/internal_audit_report_template_excel.pdf
    • https://cdn.shopify.com/s/files/1/0433/0595/9574/files/sigevunifuzuxev.pdf
    • https://cdn.shopify.com/s/files/1/0482/8495/8882/files/87580069713.pdf
    • https://cdn.shopify.com/s/files/1/0428/5884/0223/files/duwisedelefewa.pdf
    • https://df48b4b0-ae2e-40e5-9842-6fd1ebe4adb4.filesusr.com/ugd/cc3ca9_746cf991d7154938b5bd902f167f8e71.pdf?index=true
    • https://f1623e18-63b5-48fd-ae22-2fb1edff0a71.filesusr.com/ugd/a2ebd8_1ca2da277bc94422989ea6240e12ce23.pdf?index=true
    • https://5cbf8ecf-84e6-4963-bca7-4dc4d04c3a8d.filesusr.com/ugd/0e6328_f0c99827e58a4ce7860120646f5efa9d.pdf?index=true
    • https://86ba7022-003c-4204-b998-fe89cfb49f55.filesusr.com/ugd/bf650e_8e9c768e59fb4f77a26dc8c3808a2920.pdf?index=true
    • https://a9c6613e-e286-440f-bc47-b2c1e208c91b.filesusr.com/ugd/3225da_179be032197740a1a4516daacca53f0b.pdf?index=true
    • https://c0092b09-f6d5-4924-b992-abe26a2179db.filesusr.com/ugd/ba2c19_4280a04402574e21892f201c4ebe5f1b.pdf?index=true
    • https://29d23f76-6d47-4040-a463-7d472c9dd96e.filesusr.com/ugd/cf9ff1_06fee7202ba6492fa209d5e25a662cc7.pdf?index=true
    • https://2cbc178e-1e31-42f0-be00-4ddedd1e7e60.filesusr.com/ugd/70e5f7_9f5866ef42c34a28b88d86685bec84ea.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006977.bin
132cb98559911602fd1ceae80d83fd8e5f19deb59c744102ebd7a9511dd764e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6977 5280 bytes
font_01_sfnt_off00007b8a.bin
6b5669f78e75c214d99bad8c8e9312145a33eccb2d6393b1ad76d8edb5cedd71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B8A 13448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.