Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f62aafef928d7b3…

MALICIOUS

PDF

50.0 KB Created: 2020-08-15 05:00:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d33876532a90227b6ccecd36b082d2d1 SHA-1: 4ce8239113388638f8ffef6d0afb8a415076d6aa SHA-256: 5f62aafef928d7b3b0a770578363416cb8cca516c9cede808d632e444d420dff
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to potentially malicious redirectors, as indicated by the 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' heuristics. The document body text, though garbled, includes a reference to 'certificate border design template' and a URL that aligns with the malicious redirector heuristic. The presence of numerous external links suggests an attempt to drive traffic to malicious infrastructure, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=certificate+border+design+template
    • http://tatitowi.omenyiclassicstew.com/uploads/1/3/1/8/131856772/ranakasapepolus_ketebozitiru_kegeluxep_nugomofemu.pdf
    • http://files.luckytakoyaki.com/uploads/1/3/1/0/131070207/tezivadibera_fugefekedige.pdf
    • http://files.whwrestling.com/uploads/1/3/1/4/131438427/6142724.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0431/1924/7514/files/19773862327.pdf
    • https://cdn.shopify.com/s/files/1/0433/7149/5574/files/4433422161.pdf
    • https://cdn.shopify.com/s/files/1/0435/1374/1471/files/moriwunuvepaxifadex.pdf
    • https://cdn.shopify.com/s/files/1/0433/9325/3526/files/3736239298.pdf
    • https://cdn.shopify.com/s/files/1/0430/5901/9933/files/24491328203.pdf
    • https://cdn.shopify.com/s/files/1/0432/3665/5259/files/galafunaluse.pdf
    • https://cdn.shopify.com/s/files/1/0435/1413/4692/files/56797773770.pdf
    • https://cdn.shopify.com/s/files/1/0431/6200/9755/files/1995_jeep_cherokee_owners_manual.pdf
    • https://cdn.shopify.com/s/files/1/0431/7567/4024/files/race_car_aerodynamics_designing_for_speed_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/7437/9157/files/11820708787.pdf
    • https://cdn.shopify.com/s/files/1/0433/9495/7475/files/edge_of_the_empire_character_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0440/1581/2766/files/proteinuria_classification.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000734a.bin
b5940c2bcd7694f10cf33278e9c1962f488bb51821cf17a5c2f73ea0c6425c0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x734A 5424 bytes
font_01_sfnt_off00008591.bin
7c5d22e6c6cb27cd23e9b4e4f83a303f57659ad373b2f2020e59715baf3ea4e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8591 12620 bytes
font_02_sfnt_off0000aced.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACED 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.