Malicious PDF — malware analysis report

Static analysis result for SHA-256 351a7a0200df3e53…

MALICIOUS

PDF

65.7 KB Created: 2020-09-18 20:24:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ac23afb361132837990ccf8ba2f95526 SHA-1: 22d1712797265ed1733b285eab69a3d1749d0b95 SHA-256: 351a7a0200df3e5378c95e3167a03092af4687ccb19deaa693f4764050d107c8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to known malicious infrastructure, disguised as a free stream for 'Avengers endgame'. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK confirms this, and the ML classifier strongly indicates maliciousness. The document body and embedded URLs suggest a phishing or scam attempt to trick users into visiting a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=avengers+endgame+free+stream+no+sign+up
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a524ac31-0099-4bc8-8c47-0b008c50bc59.filesusr.com/ugd/2d1648_6ddac4e1d8154e7abced32d11dc6f1cb.pdf?index=true
    • https://b76d92b6-a793-41e3-a47f-76673d4aeb7f.filesusr.com/ugd/c4b402_5117a1a38ceb4d63bf4714d4ef627911.pdf?index=true
    • https://08134ca3-3a03-4950-bdcd-624cff54b271.filesusr.com/ugd/345929_5b04ff121c244d2da03dbbf340915ece.pdf?index=true
    • https://0b0ec471-7a4a-4c9d-87ef-d06a5ec85047.filesusr.com/ugd/c068f8_4a41aaabf22944f7b7d1964393ac9b54.pdf?index=true
    • https://03bab3a0-adeb-4535-9c31-264130b7ccc8.filesusr.com/ugd/daca0d_26fb07403ba34da8a09cc18146b526f7.pdf?index=true
    • https://70fe37d7-4b36-4ff8-9a8c-da7541f197d7.filesusr.com/ugd/5ed537_e863f416dc264dd6b1523a4e283d6d5e.pdf?index=true
    • https://734ff838-3120-4268-b85d-b5212e9ce8af.filesusr.com/ugd/8ff694_44a46c6ca41a40d782382e5ec3feeece.pdf?index=true
    • https://6ec356e8-27cb-47f5-b8d1-2cfaeece3a64.filesusr.com/ugd/405339_b1af43b0f3b64a8a8cd30bd2dd1648b5.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0437/5989/4689/files/zalabepadaga.pdf
    • https://cdn.shopify.com/s/files/1/0467/7399/3625/files/62464504692.pdf
    • https://cdn.shopify.com/s/files/1/0438/5724/8421/files/90541752632.pdf
    • https://3720fff8-e032-4b91-a8da-1ce6b6624f89.filesusr.com/ugd/bcb9fd_1b93d600dd65441babd38d1d8679fa26.pdf?index=true
    • https://c6aba63c-cd92-48f1-af5a-ebf9911a14a3.filesusr.com/ugd/409ca8_606a1a4669e0440887226d5b3a2e674c.pdf?index=true
    • https://3f8d2cd4-1bac-408f-9d43-72f747f9e911.filesusr.com/ugd/493135_4462436d3bd64b3f87c7cb01c7b47207.pdf?index=true
    • https://6da1af5e-4817-4377-b212-640c2bce75ab.filesusr.com/ugd/b91566_207bb53006024087bac4d6c036e37d2d.pdf?index=true
    • https://b83b9a55-cd25-4518-b887-13c76397ce84.filesusr.com/ugd/ea5d7b_1388844934c5435b83dd2ec6bcabf766.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008340.bin
0e30b1194f4800a03be738050316a7f758402445f08c44a2b073140bdaf3db68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8340 7116 bytes
font_01_sfnt_off00009b2a.bin
9aeecc7403253f837661f4b889e53a6705d5dcaa305275ada9076ece835d1f39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B2A 5376 bytes
font_02_sfnt_off0000ad66.bin
6e5de5c6bcb7fdd8c5ca0d25823a8f80e6c764803c1b732dbc9c425a5c0f8ea5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD66 2092 bytes
font_03_sfnt_off0000b70c.bin
c3200052d686ffecd342d054bdf67ae05b0f8ebe2303d75986967a49bd7c5087		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB70C 12764 bytes
font_04_sfnt_off0000e162.bin
780ccdcdf1b6278e30d25f87760d5f3cc4d361c26f3394aeea43a812bf95418a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE162 16188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.