Malicious PDF — malware analysis report

Static analysis result for SHA-256 5eb97598244dd369…

MALICIOUS

PDF

105.3 KB Created: 2020-07-28 16:29:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3d0cd8961e7e788d3e3543416ca538c SHA-1: 373ac76c8b5eb8c65c1604b69c72a359bba1dddb SHA-256: 5eb97598244dd3691014e4dd252113917a7f02af399713acead3d8aad1a8406b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a high number of embedded links, with at least one pointing to known malicious redirector infrastructure. The ML classifier also strongly indicated maliciousness. The document body is heavily obfuscated, but the presence of numerous external links suggests an attempt to lure users to malicious sites, potentially for phishing or to download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=online+games+addiction+pdf
    • http://files.aprautobodys.com/uploads/1/3/1/3/131381722/verafugaxe.pdf
    • http://files.thelodgeofstgeorge.org/uploads/1/3/1/3/131379439/wawegigo.pdf
    • http://files.ftcroboticsedina.com/uploads/1/3/2/6/132696465/5510022.pdf
    • http://files.lenaherveybaycelebrant.com/uploads/1/3/1/4/131483249/galekamedudupuzexa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/8987/9445/files/23493725146.pdf
    • https://cdn.shopify.com/s/files/1/0436/0932/5730/files/98612062861.pdf
    • https://cdn.shopify.com/s/files/1/0431/2920/8992/files/45608080136.pdf
    • https://cdn.shopify.com/s/files/1/0431/1682/2692/files/xodawefosivagas.pdf
    • https://cdn.shopify.com/s/files/1/0432/0778/6657/files/baguvemoveka.pdf
    • https://cdn.shopify.com/s/files/1/0430/0147/9321/files/45615116075.pdf
    • https://cdn.shopify.com/s/files/1/0433/2929/0390/files/tudemewituped.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/dogudanivivakow.pdf
    • https://cdn.shopify.com/s/files/1/0428/8466/1414/files/83129877015.pdf
    • https://cdn.shopify.com/s/files/1/0431/2881/5783/files/tibusagon.pdf
    • https://cdn.shopify.com/s/files/1/0433/3276/3801/files/1718557722.pdf
    • https://cdn.shopify.com/s/files/1/0428/2331/9715/files/41701943577.pdf
    • https://cdn.shopify.com/s/files/1/0431/7279/0427/files/xulelij.pdf
    • https://cdn.shopify.com/s/files/1/0432/9422/8630/files/remixejotifolufer.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015503.bin
207298e2e8ac0b0db16d9466971c46e8a29d2b97e6a5e4756d4cff1930f72deb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15503 3344 bytes
font_01_sfnt_off0001610b.bin
8d71da3e299baf417645085e46a8d21412bf0224f544518311503b77130c9737		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1610B 5192 bytes
font_02_sfnt_off000172a6.bin
314668f453f3a2b3f87c395eed91b75d64d3edb07e0897b4c05c0f6c0615aed3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x172A6 10620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.