Malicious PDF — malware analysis report

Static analysis result for SHA-256 5785378a06f00e61…

MALICIOUS

PDF

43.5 KB Created: 2020-10-20 17:41:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: 9292b874da6831a8725d53bc2d7b36d9 SHA-1: c84d1ddad09bb94cd32071eda3959c2b30902b64 SHA-256: 5785378a06f00e619c1c9cb8be5ceaff57190912ab32a29bfdc26af4aabd8302
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to suspicious domains and Weebly-hosted files, indicating a link farm or SEO poisoning attempt. One critical heuristic identified a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that appears to be part of this malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/wb?keyword=flash%20season%203%20episode%2022 In PDF document text
    • https://pevugubak.weebly.com/uploads/1/3/2/7/132740457/jijosetuk.pdfIn PDF document text
    • https://varipejat.weebly.com/uploads/1/3/0/7/130739080/d4b9a2a495b.pdfIn PDF document text
    • https://xojerajap.weebly.com/uploads/1/3/1/3/131384359/laderote.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368976/normal_5f8e6f7362708.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374704/normal_5f8a63f3eadf7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366336/normal_5f88bee8a9b3b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391642/normal_5f8e9fbda49e7.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/tetazino/61472424469.pdfIn PDF document text
    • https://s3.amazonaws.com/kavitokolezub/wanuwijevofuvel.pdfIn PDF document text
    • https://s3.amazonaws.com/sugaguxagu/tuximewojabedafojivarofi.pdfIn PDF document text
    • https://s3.amazonaws.com/sugaguxagu/fudedejijemodezinuwetoruv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/62e1bee1-3785-4b9f-add3-ea132fe8fcdd/gixiwamijupemugitorawavaj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cbe90637-5213-4f6b-ac50-8fd60319f33d/73899127815.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ed954feb-476b-40ad-b6b8-b80056a3b2f0/sadulif.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c44ad5eb-0746-4878-85ba-bdb2a40024eb/genabuvikonewekotixurowa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/af3fc7bf-5103-4395-a8d0-4f6432f87271/xafotevugaluvo.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0428/9029/7507/files/hotel_industry_trends_2020.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/9870/9917/files/wish_daily_giveaway_not_showing.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0507/1405/0720/files/worag.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/0219/1269/files/mibivibesalazopevupud.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/87232cf7-e6ed-4d7c-8a43-8b44ee72c250/15721554778.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5c5a80cd-1b85-4864-a018-568833cdb16a/tarzan_lord_of_the_apes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6ecc28f8-919c-47d4-85ec-950a46bba12c/the_evil_within_2_how_many_chapters.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/950ba948-4e0d-406e-a268-00b72210c8b7/98102589120.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006be1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6BE1 5204 bytes
SHA-256: 269c61264243f74f38dc6f55e0d1edb88a641c8e0e9019d7733418bbe8954862
font_01_sfnt_off00007d8b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7D8B 10364 bytes
SHA-256: 6e8fd7085b0d01f4e377b60cf1117766381e1eaab7d39575fff3b80b4eb21f1f