Malicious PDF — malware analysis report

Static analysis result for SHA-256 64d16f97849552e7…

MALICIOUS

PDF

46.5 KB Created: 2020-08-19 19:47:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78bdcfdf6cd6ce81eed5a80ae7970878 SHA-1: f0e6d0a55f4773698c7508d1508b18f345264b3b SHA-256: 64d16f97849552e7823c891135fe928b468a90b04612da1c05fc09c824094684
294 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript and multiple links to external URLs, including a known malicious redirector. The document body and embedded scripts suggest an attempt to disguise malicious activity under a seemingly innocuous topic. The embedded script likely downloads and executes a second-stage payload from the linked URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=limitations+of+social+media+pdf
    • http://files.somalibantucitizengroupoforegon.org/uploads/1/3/0/7/130775905/96acff.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0428/8921/6163/files/amplificateur_diffrentiel.pdf
    • https://cdn.shopify.com/s/files/1/0436/8701/8649/files/44316918905.pdf
    • https://cdn.shopify.com/s/files/1/0431/0640/2453/files/mail_today_epaper_download.pdf
    • https://cdn.shopify.com/s/files/1/0437/6851/2669/files/28_rules_subject_verb_agreement.pdf
    • https://cdn.shopify.com/s/files/1/0434/0164/2149/files/karefijimobusowubo.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/77330784460.pdf
    • https://cdn.shopify.com/s/files/1/0433/7539/4979/files/kuvoson.pdf
    • https://cdn.shopify.com/s/files/1/0434/3886/6593/files/virudavizokuvelezomuvi.pdf
    • https://cdn.shopify.com/s/files/1/0428/3308/4575/files/delete_worksheet_in_excel_using_powershell.pdf
    • https://cdn.shopify.com/s/files/1/0436/4104/5145/files/behringer_x_air_xr16_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000633c.bin
4f05cbadd527d224dfb5f2a9583fcc2ccaeeb5dccbf69277b49dc4d793068def		 pdf-embedded-script PDF decompressed stream script payload at offset 0x633C 47580 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
font_00_sfnt_off00006a69.bin
676b13d2879392d28f4ab4f3410d20c3c277d13f76765129e320386e1f56d172		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A69 4936 bytes
font_01_sfnt_off00007b11.bin
3f069c2416271baa285f6ecbfb89f8762d706bdc174905cffc70e441020a2f8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B11 10476 bytes
font_02_sfnt_off00009ed3.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9ED3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.