Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d4645cb45861409…

MALICIOUS

PDF

44.4 KB Created: 2020-08-10 21:21:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fd3f6c158a5662af5e71c4940a365b95 SHA-1: 5155755d88018f9a0ba67ac35c02fb0322211536 SHA-256: 5d4645cb458614097cfe1acc7ebdb43f34b7cd886e26f414d3a2442f48547cd3
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to known malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text that appears to be a lure for a 'Java GUI tutorial PDF free download'. The presence of numerous external PDF links, many pointing to Shopify, suggests a link farm for SEO manipulation, with the primary malicious link being the redirector. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=java+gui+tutorial+pdf+free+download
    • http://files.kathrynrobertson.co.nz/uploads/1/3/0/7/130775672/7930106.pdf
    • http://files.memassweets.com/uploads/1/3/0/7/130738943/rulesibiv_xubederiz_datizilemeba_nubavida.pdf
    • http://files.beautifulroomsinluton.co.uk/uploads/1/3/0/9/130970004/eeb21935a3.pdf
    • http://files.selimmawad.com/uploads/1/3/0/7/130739593/8368105.pdf
    • http://fubojizez.varghesemathai.com/uploads/1/3/0/8/130814124/33165699.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0440/8328/2070/files/understanding_and_using_english_grammar_answer_key_free.pdf
    • https://cdn.shopify.com/s/files/1/0427/4946/0636/files/kann_man_auf_kindle_lesen.pdf
    • https://cdn.shopify.com/s/files/1/0437/3214/0186/files/25484362581.pdf
    • https://cdn.shopify.com/s/files/1/0437/2883/0625/files/5164766088.pdf
    • https://cdn.shopify.com/s/files/1/0431/0876/1764/files/61220144669.pdf
    • https://cdn.shopify.com/s/files/1/0432/9065/6921/files/30508105731.pdf
    • https://cdn.shopify.com/s/files/1/0434/7727/0678/files/suleki.pdf
    • https://cdn.shopify.com/s/files/1/0429/9846/4661/files/sisomus.pdf
    • https://cdn.shopify.com/s/files/1/0439/4831/0683/files/mizanizeza.pdf
    • https://cdn.shopify.com/s/files/1/0431/6761/3082/files/mevuworobexeve.pdf
    • https://cdn.shopify.com/s/files/1/0438/6829/1232/files/wizazitolevegoro.pdf
    • https://cdn.shopify.com/s/files/1/0432/3350/9534/files/lusev.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fa2.bin
31b79083e9f059b6f10c8c35d0093de9a18d9deb8c2849dc1762130d2bca6c69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FA2 5172 bytes
font_01_sfnt_off00008164.bin
c3283e8c27fa1eefda01d87f9d42e777931894831e8a90e2641529a29a1de58d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8164 10328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.