Malicious PDF — malware analysis report

Static analysis result for SHA-256 23cdbef41fd8ede5…

MALICIOUS

PDF

33.4 KB Created: 2020-07-10 21:16:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 19492090e711ae8f44d237e27f51e2d4 SHA-1: bc5f31dcd29671e67330d11182a970fa415da74c SHA-256: 23cdbef41fd8ede5fb1da755e50e609f0a32c9be8b985216e86b5d52598c7958
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many of which point to domains associated with link farms and redirectors. The primary malicious link identified is https://ttraff.com/pify?keyword=centum+vp+manual+pdf, which is flagged as a known malicious redirector. The document body, though partially obfuscated, also contains numerous links to external PDF files, suggesting a lure to a network of potentially compromised or malicious sites. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=centum+vp+manual+pdf
    • http://files.itsnclexreview.com/uploads/1/3/1/3/131380305/3785983.pdf
    • http://files.grcrowfamily.com/uploads/1/3/1/0/131070190/3426f7e.pdf
    • http://files.foresitemapping.com/uploads/1/3/1/4/131406606/f44cad48b44.pdf
    • http://files.kaileecristina.com/uploads/1/3/1/3/131398573/sobipubebitaki.pdf
    • http://files.baldwincountybossbabes.com/uploads/1/3/2/3/132303126/tutuvobefivomelati.pdf
    • http://files.susannaclasby.com/uploads/1/3/1/0/131070035/7960361.pdf
    • http://files.barryshlachter.net/uploads/1/3/1/1/131163920/waribuvufaxuj.pdf
    • http://files.mmejoyal.com/uploads/1/3/0/7/130776309/7717665.pdf
    • http://files.noseyroseytiedye.com/uploads/1/3/0/7/130776196/705df64.pdf
    • https://nikemisar.files.wordpress.com/2020/07/foteteva.pdf
    • https://talosakek.files.wordpress.com/2020/07/72480321491.pdf
    • https://gekopumidade.files.wordpress.com/2020/07/88908585696.pdf
    • https://kiligirili.files.wordpress.com/2020/06/wagivujokizusulisub.pdf
    • https://pekiseto.files.wordpress.com/2020/06/gipubuvuseriku.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/tozonolemudafolafoxi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/zutazalurofesavasa.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/31082235151.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dekafarisajanitid.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c34.bin
340b2b33be5cfba234eac3a3a3143386e54a72caea57dc73a69b9962c347c93c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C34 4720 bytes
font_01_sfnt_off00005c35.bin
4c7ce1dbe3f5d54fe91ee93dc7f5d3f80937cb560260db54a8371604bdd077ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C35 8268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.