Malicious PDF — malware analysis report

Static analysis result for SHA-256 60b8713a33641a1b…

MALICIOUS

PDF

61.3 KB Created: 2020-07-27 13:31:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d455dbac5ceca5783e0fb90eba674bd2 SHA-1: 32bda6118c42e752bfcffd5b1000df1159439bf2 SHA-256: 60b8713a33641a1beeffe17815ee17fe9c17468422be2d4ab79cbe191bfbf395
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing for linking to known malicious redirector infrastructure. It also exhibits characteristics of a PDF link farm, with numerous external links, many pointing to Shopify-hosted PDFs. The ML classifier strongly indicates maliciousness. The embedded content appears to be largely obfuscated or corrupted, but the primary malicious activity is the redirection to external, potentially harmful, URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=absorcion+y+distribucion+de+farmacos+pdf
    • http://files.pempickleball.com/uploads/1/3/1/6/131636843/xosizem-bupozojatolidu-nusodilifudeta-zotupiwivibemi.pdf
    • http://files.vincentrussodesigns.com/uploads/1/3/0/7/130739783/2950643.pdf
    • http://files.brightwatersbeverage.com/uploads/1/3/0/9/130969172/357dfbae.pdf
    • http://files.transformationconference.co.uk/uploads/1/3/1/3/131398117/dovitu_wanojem_todenopikined.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/87899810879.pdf
    • https://cdn.shopify.com/s/files/1/0432/2865/9874/files/sipajowefuxeluvilulevobu.pdf
    • https://cdn.shopify.com/s/files/1/0428/4976/3494/files/50162204418.pdf
    • https://cdn.shopify.com/s/files/1/0433/0101/1611/files/11573831450.pdf
    • https://cdn.shopify.com/s/files/1/0431/1416/8480/files/74049726752.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/81988232477.pdf
    • https://cdn.shopify.com/s/files/1/0433/4528/1183/files/4442156327.pdf
    • https://cdn.shopify.com/s/files/1/0430/9945/5642/files/64660260032.pdf
    • https://cdn.shopify.com/s/files/1/0430/1671/6437/files/denodezifez.pdf
    • https://cdn.shopify.com/s/files/1/0427/5086/9671/files/fujepejixilejuxixifu.pdf
    • https://cdn.shopify.com/s/files/1/0435/9097/5647/files/voluwipufemezivubujixe.pdf
    • https://cdn.shopify.com/s/files/1/0431/4995/1138/files/kujokusosujutatowonozas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a430.bin
4d771382345340bccaf88016fc037321effe9b22602cddc85c89645595fd4ad8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA430 2252 bytes
font_01_sfnt_off0000ae2e.bin
1716ef7b8332ad93b669c2b1fa126eb135c4dcf1470f510cb6b45ba133dd522b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE2E 5380 bytes
font_02_sfnt_off0000c05c.bin
6ce969a2ac3ce7acc15b55d3cc4d55e0b60dddd6403a7487602e42069661308b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC05C 11560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.