Malicious PDF — malware analysis report

Static analysis result for SHA-256 626071bde87a6090…

MALICIOUS

PDF

52.7 KB Created: 2020-09-03 07:37:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 232a9a2f7047dd8c1845ffd369dd0e24 SHA-1: 5bfded0f0b16e6e03df6c53b78728d614711c89e SHA-256: 626071bde87a6090fb6e7401505432754e032757204620f0eefa78af47d5a7be
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a redirector service, which is a common tactic for delivering malicious payloads or phishing pages. The embedded URL points to a redirector that uses a keyword related to chemical formation, likely as a lure. The PDF also contains a large number of links to other PDFs hosted on Shopify, suggesting a link farm used for SEO poisoning or to obscure the final malicious destination. No scripts were extracted, but the presence of embedded URLs and the heuristic firings strongly indicate a malicious redirector attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=caesium+fluoride+formation
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/0962/2691/files/logokisatamoposivow.pdf
    • https://cdn.shopify.com/s/files/1/0437/6992/1688/files/wiwumeganudefurupuxi.pdf
    • https://cdn.shopify.com/s/files/1/0437/6458/0501/files/bajaj_finance_loan_approval_letter.pdf
    • https://cdn.shopify.com/s/files/1/0432/5851/1510/files/jevezi.pdf
    • https://cdn.shopify.com/s/files/1/0434/4388/0093/files/all_androids_dbz_list.pdf
    • https://static.usrfiles.com/ugd/51c472_d10cc43e49bd49539e347fbefecf206b.pdf
    • https://static.usrfiles.com/ugd/ae059d_698bf58d7d58411784b4cf2e7f8e1f70.pdf
    • https://static.usrfiles.com/ugd/bf57b5_551da553056040cdb8c02f7915031eda.pdf
    • https://static.usrfiles.com/ugd/270e53_088d6f79359b4d2e91f43d68f84f17b0.pdf
    • https://cdn.shopify.com/s/files/1/0430/2484/2906/files/vagexavafoxi.pdf
    • https://cdn.shopify.com/s/files/1/0436/9947/0486/files/briggs_and_stratton_repair_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/1863/9765/files/nys_drivers_manual.pdf
    • https://cdn.shopify.com/s/files/1/0441/2506/1272/files/45404600488.pdf
    • https://cdn.shopify.com/s/files/1/0435/6590/8123/files/44181803085.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6965/files/moral_leadership_definition.pdf
    • https://cdn.shopify.com/s/files/1/0437/1339/6901/files/37464979206.pdf
    • https://cdn.shopify.com/s/files/1/0436/3298/4222/files/aprende_a_dibujar_comic_anatomia_de_superheroes.pdf
    • https://cdn.shopify.com/s/files/1/0428/7656/7711/files/16181355417.pdf
    • https://cdn.shopify.com/s/files/1/0433/8486/4917/files/magominerelujeraxuteravax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007418.bin
0acae127d432746d095b5bd0375a0897f34f14d5dd3edc903598d39ab18e2e5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7418 6492 bytes
font_01_sfnt_off0000844c.bin
62e36893ae0e170ada25fdfd94ce3b92e909b7e9d4f84aea5d821f2f5701daa2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x844C 4960 bytes
font_02_sfnt_off00009510.bin
b86dc6d63747c69b87260e8a70da6c4fbec17a9de905fa0cf315f0ffdf4a3878		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9510 15696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.