Malicious PDF — malware analysis report

Static analysis result for SHA-256 57c70bc8a1646afa…

MALICIOUS

PDF

72.1 KB Created: 2020-10-31 12:28:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61b939d9a7a9db3420609da68504ec10 SHA-1: e8c5c955b0c8da50e54cf8059a9e8380075752df SHA-256: 57c70bc8a1646afa519af388abf213aa87c6e1f58c5d10f1598797f286f64b8f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded links, one of which points to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text that appears to be a lure related to a "Cranial nerve assessment chart". The presence of numerous external PDF links, many pointing to benign content, suggests a link farm or SEO poisoning tactic to disguise the malicious redirector. No scripts were extracted, but the primary malicious activity is the redirection to a harmful URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=cranial+nerve+assessment+chart
    • https://cdn-cms.f-static.net/uploads/4369327/normal_5f9aef1be7086.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0268/8083/5765/files/law_and_order_svu_meme.pdf
    • https://cdn.shopify.com/s/files/1/0433/4839/4143/files/lazy_boy_parts_manual.pdf
    • https://uploads.strikinglycdn.com/files/1d76d7db-2404-4e66-a8ab-6ef145e1717e/pdf_driver_for_windows_8.1.pdf
    • https://s3.amazonaws.com/bidivo/manorama_calendar_2019_download.pdf
    • https://uploads.strikinglycdn.com/files/a5017bd5-7a09-4b2f-83d9-b3ef83f77e71/micro_mechanic_pro_code.pdf
    • https://cdn.shopify.com/s/files/1/0504/8631/3152/files/57513768165.pdf
    • https://uploads.strikinglycdn.com/files/2d59f3e9-05f2-4f57-86f1-3e2a48c11cbe/15472648112.pdf
    • https://cdn.shopify.com/s/files/1/0496/1006/4036/files/glide_image_loader_in_android.pdf
    • https://s3.amazonaws.com/vuliwisuwig/apostila_auditoria_ambiental.pdf
    • https://s3.amazonaws.com/zupenafud/power_source_battery_charger_power_supply_model_pc30.pdf
    • https://cdn.shopify.com/s/files/1/0498/2066/3970/files/pronoun_agreement_worksheet_with_answers.pdf
    • https://s3.amazonaws.com/memul/36686473205.pdf
    • https://s3.amazonaws.com/leguvefu/5077646844.pdf
    • https://s3.amazonaws.com/tesotiwapax/sovunek.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd76.bin
a087b111ac2865b8615ad22c0e10a3ab43e79d0466f3b690dad7a426a6fe70da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD76 5004 bytes
font_01_sfnt_off0000ee4e.bin
7a86261574d7ad66625805041c3d9514bcea520a15b93ba9559232fcb06e96b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE4E 10980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.