Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a779868f8074d58…

MALICIOUS

PDF

62.7 KB Created: 2020-10-27 06:13:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3c38ce7dd35b93ed0e39550fca2d4b9c SHA-1: 93787abdf5e4ea1137bc096768df3aee71cef07f SHA-256: 2a779868f8074d5836e1f6c85b3ac76e10130579374309fb4e129dd2d0ee40f3
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to known malicious infrastructure, identified by the 'PDF_MALICIOUS_REDIRECTOR_LINK' heuristic. The document body, though heavily obfuscated, contains text suggesting a lure for a 'music album downloader apk' and the malicious URL. The ML classifier also strongly flagged this PDF as malicious. The primary attack vector appears to be social engineering via a malicious link embedded within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/123?keyword=music+album+downloader+apk
    • https://cdn-cms.f-static.net/uploads/4366359/normal_5f8897ecf352d.pdf
    • https://cdn-cms.f-static.net/uploads/4368972/normal_5f92317936674.pdf
    • https://cdn-cms.f-static.net/uploads/4366659/normal_5f8f90758997f.pdf
    • https://cdn-cms.f-static.net/uploads/4368750/normal_5f91144e7df18.pdf
    • https://cdn-cms.f-static.net/uploads/4367303/normal_5f8e2125d4ad6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/440ddc95-b901-46ac-9727-165b5a949cb3/73353027626.pdf
    • https://uploads.strikinglycdn.com/files/44914892-f060-42a9-b539-fffb06efd6c3/59703193878.pdf
    • https://uploads.strikinglycdn.com/files/afe03636-91e6-4965-b149-24741f857c0a/17_biblical_meaning.pdf
    • https://uploads.strikinglycdn.com/files/5688bb16-1888-452a-9069-96a3bc7623cb/71132522521.pdf
    • https://s3.amazonaws.com/zuxadol/dotefofidusizezibudugik.pdf
    • https://s3.amazonaws.com/kitakilesa/libro_de_base_de_datos_uanl.pdf
    • https://s3.amazonaws.com/temujonuwu/makalah_pneumonia_pada_anak.pdf
    • https://s3.amazonaws.com/felasorarabipis/buzimilogal.pdf
    • https://s3.amazonaws.com/henghuili-files2/69488514650.pdf
    • https://s3.amazonaws.com/zifozujiwi/java_tutorial_point.pdf
    • https://uploads.strikinglycdn.com/files/9009f8d1-df13-4255-b523-73731d4845c5/52422624764.pdf
    • https://uploads.strikinglycdn.com/files/ab848ab9-69af-44e1-8ad4-b7d16c0e59fe/nelebererewifuxozid.pdf
    • https://uploads.strikinglycdn.com/files/a49dc3af-3055-4bf6-af64-a1881f1c6773/kamisama_kiss_vol_1.pdf
    • https://uploads.strikinglycdn.com/files/f470b0a6-eb29-428e-85b8-b32ab5c220c6/puwanekuxo.pdf
    • https://uploads.strikinglycdn.com/files/e23e8c2f-2ea1-4ca1-8277-4a2e65f7b483/solution_manual_for_advanced_engineering_mathematics_9th_edition.pdf
    • https://uploads.strikinglycdn.com/files/93c8d949-affa-4c0e-805f-0598c22c2dac/74421733246.pdf
    • https://uploads.strikinglycdn.com/files/dac1ba06-017e-473a-8902-0bed45df69b0/13578524700.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006427.bin
b27b1696b1c8834a32dc46d3802c248038948a5e18b34918302556341369056d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6427 11392 bytes
font_01_sfnt_off0000896d.bin
717c3a0cb787ee3b97cd4c814ce55967e3397993977be22830cd8097b502ba20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x896D 5520 bytes
font_02_sfnt_off00009c22.bin
a79cafd7ee350906aaf8ac5fe8e9f11ae32ee34156c3475347cf0a7f3f046941		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C22 4380 bytes
font_03_sfnt_off0000acfe.bin
aec1ecabe57310e04d369c5ab85ce4d31536275a871e698cc8d86ba2f9a32662		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACFE 12204 bytes
font_04_sfnt_off0000d5c2.bin
007377d672ad35e960bd13d3f92b574e68300ebd174b34df27fa78aa6545cdcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD5C2 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.