Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a5aeea60477eb05…

MALICIOUS

PDF

63.4 KB Created: 2020-08-02 11:33:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 55e6d94a1ab5863da4e59a6a4eec2235 SHA-1: 31c4596b02b0334b96cea6c8fb2e00590c7f2e96 SHA-256: 5a5aeea60477eb051d27f191cd4294ebb8097f0eec43f4cf8f2a27a4c40bf587
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. This suggests a phishing or scam attempt, likely aiming to redirect users to a site for financial fraud or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=the+ar+15+complete+assembly+guide+pdf
    • http://files.wardpearsongroup.com/uploads/1/3/2/6/132681647/5723478.pdf
    • http://files.simplywholesometreats.ca/uploads/1/3/0/9/130969889/kiwaxamufapuw.pdf
    • http://files.cashflow3.com/uploads/1/3/1/8/131871704/wikafemugixa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/vatajimawi.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/83260340608.pdf
    • https://cdn.shopify.com/s/files/1/0433/1307/0238/files/pilurinadoruwe.pdf
    • https://cdn.shopify.com/s/files/1/0440/8459/2805/files/begs_the_question_synonym.pdf
    • https://cdn.shopify.com/s/files/1/0428/2938/1791/files/xutofojumopaponujidero.pdf
    • https://cdn.shopify.com/s/files/1/0435/6361/4369/files/wisoxajak.pdf
    • https://cdn.shopify.com/s/files/1/0429/0212/6751/files/fofikazokiwat.pdf
    • https://cdn.shopify.com/s/files/1/0433/5920/7592/files/92500157304.pdf
    • https://cdn.shopify.com/s/files/1/0431/8851/9080/files/jojowisine.pdf
    • https://cdn.shopify.com/s/files/1/0432/0228/1633/files/28488966936.pdf
    • https://cdn.shopify.com/s/files/1/0432/7990/9030/files/88611290516.pdf
    • https://cdn.shopify.com/s/files/1/0432/7754/9726/files/sadamezumaviraxoraxe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000acda.bin
bf53ed6950fe94f6f58bacd9eb661bcc63aaa211ce9bbcad342102aa358b584b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACDA 5936 bytes
font_01_sfnt_off0000c0e8.bin
8770a9d16f6ec8ed1e04f7f31595c1fd3834ff76ff6f55291086ab87d6d749e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC0E8 2268 bytes
font_02_sfnt_off0000cafa.bin
a8ad924f3c1aee42f510c150e0f464210ea14cdc8d53322723ed902033ff7a72		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCAFA 10804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.