Malicious PDF — malware analysis report

Static analysis result for SHA-256 54f8085ed5b91780…

MALICIOUS

PDF

72.2 KB Created: 2020-12-06 00:39:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 24f71c0020e37cbbe7a262b099309ff2 SHA-1: 2ecae71cb42de4ddc75d6f0f4337f5afa45a73f9 SHA-256: 54f8085ed5b91780dcae3192f67a7fca805e7fe568dd8a79aa463ef3f675247a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document is identified as malicious due to its structure and embedded links. It functions as a link farm, presenting itself as a "Canon rebel t6i instruction manual" to entice users to click on numerous external links. One of these links, https://ggtraff.ru/wb?keyword=canon%20rebel%20t6i%20instruction%20manual, leads to known malicious redirector infrastructure, indicating a phishing or malware distribution attempt. The ML classifier strongly supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/wb?keyword=canon%20rebel%20t6i%20instruction%20manual In PDF document text
    • https://fobolobal.weebly.com/uploads/1/3/4/3/134317950/2810574.pdfIn PDF document text
    • https://siwizapetodid.weebly.com/uploads/1/3/4/0/134041585/tomuv_guvipapabojosi.pdfIn PDF document text
    • https://batatebuve.weebly.com/uploads/1/3/4/6/134676181/7893889.pdfIn PDF document text
    • https://wiwawuvagowe.weebly.com/uploads/1/3/4/4/134496439/milaxovilidefigevu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/841251e6-0909-4d0a-8c61-9e0751e3686a/1177788838.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e8be9f7-9b4e-40d9-ac6e-5594455d70c0/39396759948.pdfIn PDF document text
    • https://s3.amazonaws.com/fezenur/2020_calendar_printable_south_africa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/836ba4b7-de2a-4b30-a539-238042a86a96/vanilla_twilight_mp3_320kbps.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/71187a54-da25-4092-9b94-e15a2c4e38eb/movies_like_house_on_the_rocks.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cdb046ea-cfef-4ce3-8191-1eab99455353/tozapuferusarufo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/04ccf6ba-d030-4720-ae97-6670a0996207/dexelivopuwazovozaxafo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/64941880-e7d2-40a0-ae8a-2c976af0243b/99027635973.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1375a11-9564-4e16-9e6b-ea575f9c55ab/zaman_zaki_taji_qawwal_mp3_free_down.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc9f10cc-fdce-4719-bc18-dc3d348393d1/kill_my_boss_cast.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8fead19a-82b3-4c6e-af6c-3cd883b582ed/pevikipupikajepumiwam.pdfIn PDF document text
    • https://s3.amazonaws.com/waxapoz/jizimuvilivarurugalixeke.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8b5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD8B5 5144 bytes
SHA-256: 05763b86dc1068b66820b8d792141e9cbb109dabc139beee8336ab0efb108b6c
font_01_sfnt_off0000ea16.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA16 12760 bytes
SHA-256: ffd158158df8bf5509beda2d08e08c27e5052026f32f07b4e0b9b38b70192108