Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f7adbc62cb877c9…

MALICIOUS

PDF

46.8 KB Created: 2020-10-25 19:07:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cac86e4e30e7c7ca79fd5be1137a58b6 SHA-1: 51f0b9b5e52ccd1f2de7e110b23454ff45f15080 SHA-256: 2f7adbc62cb877c9adbe398131f26455e3443888448832fd4595bb3a73330f26
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to malicious infrastructure, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body and embedded URLs suggest a lure to download a file, likely a payload, under the guise of a 'periodic table'. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the redirection and link farm heuristics point to a downloader or redirector pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=download+periodic+table+with+names+of+elements+pdf
    • https://cdn-cms.f-static.net/uploads/4382208/normal_5f8ffe075f802.pdf
    • https://cdn-cms.f-static.net/uploads/4389603/normal_5f8d9817b7efd.pdf
    • https://cdn-cms.f-static.net/uploads/4390057/normal_5f8e863ac9f3c.pdf
    • https://cdn-cms.f-static.net/uploads/4388629/normal_5f8e45a999839.pdf
    • https://cdn-cms.f-static.net/uploads/4384644/normal_5f9172951a9aa.pdf
    • https://cdn-cms.f-static.net/uploads/4366302/normal_5f8770f513afe.pdf
    • https://cdn-cms.f-static.net/uploads/4365660/normal_5f87247a2470a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/2639/0946/files/71714203154.pdf
    • https://cdn.shopify.com/s/files/1/0431/3881/0023/files/19315176811.pdf
    • https://s3.amazonaws.com/henghuili-files2/givubokepoxoxizexuj.pdf
    • https://s3.amazonaws.com/sinadi/the_bluest_eye_google.pdf
    • https://s3.amazonaws.com/xanebavifamopez/pneumatic_diaphragm_valve.pdf
    • https://uploads.strikinglycdn.com/files/a4d80017-8b53-45df-b432-9e7c1f04d8c9/71441615237.pdf
    • https://uploads.strikinglycdn.com/files/66e7d52c-2ff4-4f7b-a920-d9921fc36f96/xerasexum.pdf
    • https://uploads.strikinglycdn.com/files/a34ce223-69ea-4456-bd51-20617c247cfa/744791051.pdf
    • https://uploads.strikinglycdn.com/files/286f83ef-4a0b-4d45-b1be-aee44be16c78/3185513006.pdf
    • https://uploads.strikinglycdn.com/files/ec3a6b11-92e8-4605-b905-8521095c5840/49838360226.pdf
    • https://uploads.strikinglycdn.com/files/5d458c14-0d26-452c-b816-cc79a6eb625f/41707750013.pdf
    • https://uploads.strikinglycdn.com/files/ca839194-fd30-4a5c-9aca-93592a923c0c/wow_wow_wubbzy_games_robot.pdf
    • https://uploads.strikinglycdn.com/files/6323d238-24e9-443c-9a94-0e12af1c6030/gotas_por_minuto_normogotero.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076ed.bin
cf6c20f6788e820f0ce4f88fc195d09a7718cab624b5c1472d18c043197a9bd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76ED 5628 bytes
font_01_sfnt_off000089f2.bin
7d350f21244d288a7f3a1f3ce49b78fc1c3206df0bd6200c3085268ca7a52ae5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89F2 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.