Malicious PDF — malware analysis report

Static analysis result for SHA-256 6efa528a058fb945…

MALICIOUS

PDF

73.1 KB Created: 2020-10-27 19:09:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1d61915653f1783479673b2653ccb616 SHA-1: 7553558ee37ba3698441c58dd432e847ac5dcf90 SHA-256: 6efa528a058fb9458d3c6a83149c4fa064f881b8b5157ab5cc52f45ed29f68c2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to link farms and a known malicious redirector. The document body, though heavily obfuscated, contains URLs that are likely intended to trick users into downloading further malicious content or visiting phishing sites. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=chasing+vermeer+pdf+free
    • https://ruparowix.weebly.com/uploads/1/3/4/3/134350000/mozubowozesoxuk-dudofogox.pdf
    • https://naxedomabaxa.weebly.com/uploads/1/3/1/6/131606472/714af.pdf
    • https://rukutatonaneto.weebly.com/uploads/1/3/4/0/134012616/bizid_gomis_muputukoxe_mikitunotebor.pdf
    • https://wavutokemik.weebly.com/uploads/1/3/4/3/134309613/gumagetulijejul.pdf
    • https://xesaranit.weebly.com/uploads/1/3/2/6/132696194/8636814.pdf
    • https://gofegupozomo.weebly.com/uploads/1/3/4/4/134479888/xiregufilon_tobowem_jadusub_bifule.pdf
    • https://fovavizudaz.weebly.com/uploads/1/3/4/3/134375550/miguderibufixibuk.pdf
    • https://voxapinave.weebly.com/uploads/1/3/2/7/132740917/gigetikagofelo.pdf
    • https://rirusiwox.weebly.com/uploads/1/3/4/2/134265342/sujepukozogu_sewurugulatu_kuraxid_dabuwalil.pdf
    • https://wepugimi.weebly.com/uploads/1/3/1/0/131070973/goxarujemexogu_mosegozivi_fofuwad_kezobal.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5953ef65-9158-4752-b917-90d2383f7719/7533585437.pdf
    • https://uploads.strikinglycdn.com/files/b1f362a2-4f07-4182-9fb0-2e8fb7838cd6/muwogonixesi.pdf
    • https://uploads.strikinglycdn.com/files/8e993496-cccb-4db6-8527-5e3974cd4e77/6870418854.pdf
    • https://uploads.strikinglycdn.com/files/2e4173dc-3c53-4aa3-a2ab-d7892c195fcd/68190915544.pdf
    • https://uploads.strikinglycdn.com/files/76455756-ecc6-4258-b27e-4687df0b0b31/68984626730.pdf
    • https://uploads.strikinglycdn.com/files/c5abcd88-7134-44bf-a1e3-16eb951c9fe8/10529110030.pdf
    • https://uploads.strikinglycdn.com/files/a4891948-b1e8-44f9-98f7-5f994a99b0b6/vesunidiwanuvez.pdf
    • https://uploads.strikinglycdn.com/files/6dc87066-2ff2-4841-a4db-112444bd469d/jivopigizenegap.pdf
    • https://cdn.shopify.com/s/files/1/0497/4202/0769/files/brewers_association_beer_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0496/7560/0036/files/graduation_dress_ideas_uk.pdf
    • https://cdn.shopify.com/s/files/1/0437/2119/5670/files/fbulas_de_esopo_coquito.pdf
    • https://cdn.shopify.com/s/files/1/0434/8048/1954/files/28829872164.pdf
    • https://cdn.shopify.com/s/files/1/0431/7115/2023/files/43257422645.pdf
    • https://cdn.shopify.com/s/files/1/0428/5172/9574/files/thanks_for_all_the_fish_meme.pdf
    • https://cdn.shopify.com/s/files/1/0437/9197/4557/files/managing_workplace_diversity_and_inclusion_a_psychological_perspective.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b1df.bin
3183d076ec51d7bfdd3aa711048bea8ed02fc18b114bf489d4bac8cb0f6f3718		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1DF 5388 bytes
font_01_sfnt_off0000c40b.bin
736fcb9f25a5c4fe860923d8ee39fc78ac5aa9fc51530dd82da97b6b69cd4df7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC40B 13768 bytes
font_02_sfnt_off0000f0a9.bin
cab63ce06b94ab17bb66e0fafb4ba595e61dcf81e5062553b9c61cdd9b018f18		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0A9 16540 bytes
font_03_sfnt_off00010756.bin
97450b318fe34b3f744e9a09fc7fc5ac4a1a9ae666e4363b12cd03b7b68c71b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10756 6108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.