Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b15d970f94c8318…

MALICIOUS

PDF

44.9 KB Created: 2020-09-18 06:29:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6b0f84d1a0aa5999b55f4945bdcd2f6c SHA-1: 2b904f6b23ac6e243cf39fcaaa4af52a001ce54f SHA-256: 5b15d970f94c8318d3624e9c3d3b46537c5fd7fbe89ac46b9227667e27da6d56
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, with the primary one leading to a known malicious redirector. The document body, though heavily obfuscated, contains text related to 'Costco chicken pot pie cooking instructions' and the authoring application, suggesting a lure to disguise the malicious intent. The ML classifier strongly flagged this PDF as malicious, supporting the presence of malicious redirector links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=costco+chicken+pot+pie+cooking+instructions
    • http://furogiz.indypolevaultjumpscamps.com/uploads/1/3/1/6/131606490/642613.pdf
    • http://files.foodloveblog.com/uploads/1/3/1/3/131380868/vosirijofa.pdf
    • http://lebubili.msdiglobal.com/uploads/1/3/1/4/131406062/3391157.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://78c38625-c939-4dc1-89ab-de26f1237e28.filesusr.com/ugd/c57cae_4d1a278ae384492d962ebaa911390233.pdf?index=true
    • https://8a05efc1-de5b-48a6-a68f-1f835fea149f.filesusr.com/ugd/f967ac_ce36711bb46f4bd7888d060b125f5b85.pdf?index=true
    • https://48b9dc58-96a3-4682-a6fb-cd84c8a4d528.filesusr.com/ugd/a9e086_4386eca8bb7448b2986cd90d6afe5ea3.pdf?index=true
    • https://5ee1ab80-cc09-44b5-87be-6dd05c69c6bd.filesusr.com/ugd/1cc777_0583d58514534e4f9096ce471c240d30.pdf?index=true
    • https://0e5ea108-0839-4bc8-8b5e-6f469e31a109.filesusr.com/ugd/3225da_363226abed1a427abfda4a5912ece692.pdf?index=true
    • https://d8643b8f-15c7-4d12-a20b-694b5c3b6e5b.filesusr.com/ugd/9734e7_6e329ebf721c4361a4151f69b01ae218.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0436/9544/0040/files/65188102666.pdf
    • https://cdn.shopify.com/s/files/1/0433/8827/2807/files/bodakasitoxujasij.pdf
    • https://cdn.shopify.com/s/files/1/0439/2209/6283/files/32429878046.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000648d.bin
cf3e6bd9214ff8660ccfb730ed646c241e0b9c8c9c0e9a8b3173e8778caa65c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x648D 4924 bytes
font_01_sfnt_off00007545.bin
276923983bde73cdce8388174708e19704b7468f54ab74456dc6849179701e9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7545 10432 bytes
font_02_sfnt_off000098f3.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98F3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.