Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f7720325442ca7c…

MALICIOUS

PDF

43.4 KB Created: 2020-07-10 07:25:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e66b7c1790e80b8d2630805cf6e0c10b SHA-1: 43805d98418d74c5e1908a2b55b59b1dfed1eade SHA-256: 5f7720325442ca7cc824117e587019af8dc44eeaa4762b7f90ffa83cc6915f2c
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many of which are algorithmically generated and point to PDF files. One of the primary links redirects through a known malicious redirector, suggesting an attempt to download a second-stage payload. The document body is obfuscated but contains references to "Linear equations worksheet grade 9", likely a lure to entice users to click the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=linear%20equations%20worksheet%20grade%209
    • http://files.sherburn.com/uploads/1/3/1/8/131856950/nuvewopikedakewerigo.pdf
    • http://files.centraldancehongkong.com/uploads/1/3/1/4/131437799/tibelikogaril-wurewed-taxalilawitu.pdf
    • http://files.serbianheritageacademyofcanada.ca/uploads/1/3/1/0/131070912/tovinovabanek_fujozi_suxikemonewute_kalijisisaf.pdf
    • http://files.cl-projects-sound-design.com/uploads/1/3/1/4/131453018/nuvupiwosago_barisabe_migegew.pdf
    • http://files.jenniferdsandquist.com/uploads/1/3/2/6/132680998/a115cae8197.pdf
    • http://files.eastlincolnchurchofchrist.com/uploads/1/3/0/7/130739322/bemupimiw_lavoku_deduferin.pdf
    • http://files.cosybedsandburrows.com/uploads/1/3/0/8/130813851/solewugolidafozej.pdf
    • http://files.jennagalicki.com/uploads/1/3/1/1/131163516/waxove-naxumox-rozekapuw-kelamukup.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://vigifeji.files.wordpress.com/2020/07/38715490254.pdf
    • https://rapesopo263753881.files.wordpress.com/2020/06/45463547496.pdf
    • https://mulanarojed.files.wordpress.com/2020/07/wusedimarogiwu.pdf
    • https://bujadite.files.wordpress.com/2020/06/weledug.pdf
    • https://xarinigeted.files.wordpress.com/2020/06/55551945005.pdf
    • https://gilifuzawu.files.wordpress.com/2020/06/87849016046.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/90442425312.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/fupibi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/wexidemunuviviradepinitim.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/30553092986.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/72274594547.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/judegesuzopo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/38030937597.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064f0.bin
72c1756637cd28c02d621e35873e6784747b28ad18e82a4d72182db1c56495da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64F0 5316 bytes
font_01_sfnt_off00007704.bin
512fab1fdb762cc99f22e5209e243e2df0d6c4c440c8bbb6bbbcce1b39fa93ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7704 12944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.