Malicious PDF — malware analysis report

Static analysis result for SHA-256 361fb571ce743be6…

MALICIOUS

PDF

48.3 KB Created: 2020-11-06 12:54:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: a1c161f85c41c706ffd5d28da012be3d SHA-1: db694b7bf50668711fabcdba5459294db3b32561 SHA-256: 361fb571ce743be64129d714c169d3e34948a342ee9c9978c8cad5fce57398c8
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by an ML classifier. The file routes users through malicious redirector infrastructure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=samsung+dryer+manual+dve45r6100c In PDF document text
    • https://cdn-cms.f-static.net/uploads/4378153/normal_5f95c54abe54b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379477/normal_5f922766eb989.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387421/normal_5f97facfdb322.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/f73b80e7-8b93-4e24-aab9-7e13dc447970/elementos_basicos_internos_de_una_computadora.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d567af50-c184-4af8-8afc-6c5b217e8083/susan_j_hall_insurance.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33e06ad9-ba5f-42ff-9967-2eca02c46fd4/84000942650.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab3a9e9d-a87c-4e96-a497-e5ce64a03676/que_es_el_potencial_hidrico.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f9f5205c-9dcf-4ad3-83a7-4b4a9f89d2a3/88918919027.pdfIn PDF document text
    • https://s3.amazonaws.com/leguvefu/wopifamijo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5922116f-54eb-4cce-b172-3735b7dc5ee8/fennell_shooting_school_address.pdfIn PDF document text
    • https://s3.amazonaws.com/pasawexawinogad/46622950520.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c2153bae-6d22-46e4-b190-fd7190e065a0/kuzopelivuzebekadus.pdfIn PDF document text
    • https://s3.amazonaws.com/jukoxisojow/maxamopip.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb5eeebb-06a7-47a1-8fc4-07fa823a1532/polk_audio_rm705_5.1_home_theater_system.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000642f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x642F 5728 bytes
SHA-256: ae171953189fdb8bc585a083b7d43ef0081cf8a5b2a29d31ee0a46c356792a89
font_01_sfnt_off00007798.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7798 2232 bytes
SHA-256: b17165ff0523b3d5300e4778d910a6b55d6b38be8212900b7eb7919fc555aab0
font_02_sfnt_off0000813e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x813E 10760 bytes
SHA-256: 18e795a6964a3e2f464ad5795880f155c90240704f596d581f904c3aba0fad9b
font_03_sfnt_off0000a5ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA5ED 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378