Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ea9383fd1c54e78…

MALICIOUS

PDF

74.8 KB Created: 2020-08-03 06:57:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd63f09f72ce588bb12aa91b1466c092 SHA-1: 5a4ca50aaa329c78540e96500dea4601dd20deed SHA-256: 5ea9383fd1c54e7856d5f5d719b71dbf9215fe89b84a79697d0f9c7cc2904000
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDF files hosted on various domains, including a known malicious redirector. The ML classifier strongly indicated maliciousness. The document body, though heavily obfuscated, contains the URL to the malicious redirector, suggesting an attempt to lead the user to malicious content or a phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=going+the+distance+song
    • http://files.womensrunningcoaches.org/uploads/1/3/1/6/131637178/lipadaxagaban.pdf
    • http://files.readersavepark.com/uploads/1/3/1/3/131398244/7027838.pdf
    • http://files.unlawfullytasty.com/uploads/1/3/2/6/132695698/padidisuk-simapag.pdf
    • http://files.astaparedes.com/uploads/1/3/1/4/131437475/tajegutejijox.pdf
    • http://files.academyppo.com/uploads/1/3/0/7/130739806/a0113ea8d23.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0433/8424/2334/files/wixiliparotakogivuxavejag.pdf
    • https://cdn.shopify.com/s/files/1/0429/6710/5687/files/pojunuduxom.pdf
    • https://cdn.shopify.com/s/files/1/0431/4356/1384/files/16389905314.pdf
    • https://cdn.shopify.com/s/files/1/0437/9095/8752/files/69037226492.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/90379225571.pdf
    • https://cdn.shopify.com/s/files/1/0430/8949/4177/files/tegunejabemewovudet.pdf
    • https://cdn.shopify.com/s/files/1/0431/2802/9345/files/76704712768.pdf
    • https://cdn.shopify.com/s/files/1/0427/9812/1119/files/wuguxarakomugege.pdf
    • https://cdn.shopify.com/s/files/1/0431/3507/4465/files/ruwona.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070c5.bin
dc37a7c9cd1d1d5445c30d28cae9153fa3750f8c95bc3fd903634034bb2f1104		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70C5 10800 bytes
font_01_sfnt_off000094ab.bin
8ce78cc3f58003de9410cb4bb618ba3e53d8718ea47ee19905539891d28cc6d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94AB 5104 bytes
font_02_sfnt_off0000a604.bin
2b642ef9c0d6f9b519856689c58d9992ff2e42eb402241681e331269870dc8b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA604 10180 bytes
font_03_sfnt_off0000c219.bin
4f283f4796a900befbb7caddfa31bf49edc00c00263fe44934e74f89bb7e7a4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC219 13852 bytes
font_04_sfnt_off0000ef7e.bin
eeb17a4024d4c2b07ea49f8be7be482d3f005e8cd0ccbdf536ded05de5176964		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF7E 18344 bytes
font_05_sfnt_off00010ca4.bin
2296ce30660d4e0c25231339e5f9a4d6f4f566c850ec0a8bab1180c259faeecc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CA4 4360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.