Malicious PDF — malware analysis report

Static analysis result for SHA-256 1bb03046f07cc322…

MALICIOUS

PDF

47.1 KB Created: 2020-11-02 19:43:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: efa165981e5e600ee8ca369fccf43bb9 SHA-1: 9a963544dd4d810569f8fd703329909ebf72f14b SHA-256: 1bb03046f07cc32246b5fc5b04ffa8a6f308fe5cf9d1759014b4e2ce0057fba5
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, with a critical heuristic identifying it as a redirector link to a known malicious infrastructure at 'https://ggtraff.ru/aws?keyword=fake+science+monthly'. Another critical heuristic flagged it as a PDF link farm, indicating a large number of external PDF links, with 'https://uploads.strikinglycdn.com/files/d0210b8a-37b4-4434-ac10-51ee166ac9bb/rikadojesovakorizi.pdf' being the first identified. The ML classifier also strongly indicated maliciousness. The document body, though heavily corrupted, contains references to the malicious URL, suggesting a lure to external malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?keyword=fake+science+monthly In PDF document text
    • https://bubawupuga.weebly.com/uploads/1/3/4/3/134380130/nobizolisar.pdfIn PDF document text
    • https://firedisivimi.weebly.com/uploads/1/3/0/9/130969818/8671433.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0210b8a-37b4-4434-ac10-51ee166ac9bb/rikadojesovakorizi.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0505/0305/7572/files/10011054840.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/1379/8050/files/73850924782.pdfIn PDF document text
    • https://s3.amazonaws.com/lojigevaxive/84029700381.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/6683/3093/files/schwinn_le_tour_tire_size.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/4154/4599/files/cthulhu_wars_manual_espaol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7658682c-9c38-4634-920a-24f2d6ead845/94764097849.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/3588/8296/files/zovokabaje.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/129873c4-0acb-48fb-89d2-f6a6f6cc9349/pegaxuzuregeduwefofamif.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4f4d5bf-96f7-474b-9692-e1b61712bf57/arapa_trke_szlk_online.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/6794/4341/files/android_tivi_sony_75_inch_kd-75x8500f.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a82a2033-a693-4b6e-9dae-bc3c7a23c9a5/65921942109.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fe0457fc-3f8e-4423-af3b-717a6811bbfd/28252548718.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007711.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7711 5064 bytes
SHA-256: 9ae332d59deed928daa543ad12157a70298c8edfebb7851dd39263226ca062d1
font_01_sfnt_off00008838.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8838 12216 bytes
SHA-256: 7e48e1e850fd020f8270e50c80055b071d40dc63fbd9f23bd6150d50f3fa7958