Malicious PDF — malware analysis report

Static analysis result for SHA-256 2872021b4fbd9151…

MALICIOUS

PDF

41.3 KB Created: 2020-10-26 13:16:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-02
MD5: 541c4e75b7ee76dc068c330deb61fdc3 SHA-1: 86b9f7c4786512e6c2cf46da4e5faa04a6935dcd SHA-256: 2872021b4fbd9151866cc9443da1632bb4a5d80b2b31fc25077cee50d327999e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, with one identified as a malicious redirector. The document body, though partially corrupted, suggests a lure related to 'artistic direction' to entice clicks. The presence of numerous external PDF links, many pointing to benign Shopify URLs, indicates a link farm strategy, with the primary malicious link being the most critical IOC. No scripts were extracted, but the PDF structure itself facilitates the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?keyword=manual+de+direcci%25C3%25B3n+art%25C3%25ADstica+cinematogr%25C3%25A1fica+pdf In PDF document text
    • https://nedudefo.weebly.com/uploads/1/3/4/3/134389218/puzirevodelebe.pdfIn PDF document text
    • https://kimumowo.weebly.com/uploads/1/3/4/4/134480515/9243451.pdfIn PDF document text
    • https://pavowojavujide.weebly.com/uploads/1/3/1/3/131398322/5039080.pdfIn PDF document text
    • https://fufivivol.weebly.com/uploads/1/3/0/8/130873849/sasagaluxixu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://cdn.shopify.com/s/files/1/0428/2381/1239/files/paul_preciado_testo_junkie.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/2404/2149/files/zesosujekakewafu.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0459/9542/5949/files/kailanan_ng_panghalip_panao_worksheets.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0479/6694/5447/files/viber_apk_for_android.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/7804/4833/files/kuxilewanixofenidulare.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0503/2725/7271/files/vavitifigegukekajurifesi.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/8400/8603/files/ba_oh_2_strong_or_weak.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/3937/3477/files/shark_lift_away_pro_steam_pocket_mop_accessories.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/2360/5153/files/50947275362.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ad5e1a7-a809-4116-9601-870909858bc4/69281947.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9d096a3f-5b1b-4708-8981-2491c63ecb8e/woded.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e329e4fb-7767-4d05-ad60-4d92a82f9f48/funowegejobovubezetek.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/669d2f09-5f15-4ba2-9d8f-0d63926f5aca/77528020336.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e5eb5f2a-8d6b-4a47-b52d-63f20d7614a6/pupebifanunigibekaxukel.pdfIn PDF document text
    • https://s3.amazonaws.com/rebomedug/petty_cash_book_problems_and_solutions.pdfIn PDF document text
    • https://s3.amazonaws.com/fenatagazise/54249343777.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000050cf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50CF 5788 bytes
SHA-256: 986edcdf0c4411679cc3f1a698b2753f01abc5ca9227fecd62b765eddd064d97
font_01_sfnt_off00006383.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6383 10932 bytes
SHA-256: 499ddea00ed85d06e1ec84ebf89c2cff980cca113f952dc49c97843bf88f7c80
font_02_sfnt_off00008728.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8728 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361