Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ff99efa6fe132c5…

MALICIOUS

PDF

51.5 KB Created: 2020-07-30 08:47:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aafbe558b3fd4779951d3ebceeba903e SHA-1: 04d287b507e406e9c985891495e4a2480f59b937 SHA-256: 6ff99efa6fe132c55781f5baf858f1b561a6445ea53f19cf8c90a0f76fd702b0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, with the primary redirector URL identified as malicious. The ML classifier also strongly indicated maliciousness. While no scripts were directly extracted, the PDF structure and embedded links suggest an attempt to lure users to external, potentially malicious, content, possibly for phishing or SEO spam.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=cement+plant+operation+pdf
    • http://files.quasar-resources.com/uploads/1/3/1/8/131871583/5853876.pdf
    • http://files.ilketshallstandrew.com/uploads/1/3/0/7/130739986/8587968.pdf
    • http://files.ncexchangeclub.com/uploads/1/3/1/1/131163914/e3f904eb0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0434/5918/2745/files/29902053335.pdf
    • https://cdn.shopify.com/s/files/1/0437/6104/1569/files/76772017878.pdf
    • https://cdn.shopify.com/s/files/1/0428/8125/3535/files/88619457683.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/45484104345.pdf
    • https://cdn.shopify.com/s/files/1/0435/6934/8763/files/4861267605.pdf
    • https://cdn.shopify.com/s/files/1/0432/1571/6513/files/vakuxumorup.pdf
    • https://cdn.shopify.com/s/files/1/0431/3301/0074/files/13307658637.pdf
    • https://cdn.shopify.com/s/files/1/0429/3269/9302/files/wabaxuditenokeb.pdf
    • https://cdn.shopify.com/s/files/1/0431/6836/6760/files/lanifepowidetisapi.pdf
    • https://cdn.shopify.com/s/files/1/0431/3962/9218/files/81433569110.pdf
    • https://cdn.shopify.com/s/files/1/0432/8803/5486/files/sobosarob.pdf
    • https://cdn.shopify.com/s/files/1/0437/2630/7480/files/2864635586.pdf
    • https://cdn.shopify.com/s/files/1/0435/8324/2401/files/sezasino.pdf
    • https://cdn.shopify.com/s/files/1/0430/6301/7629/files/71319644818.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000768e.bin
3674f7e14af330dde3b97da200cb868f79f26b4361e5262e41ba61f6620ed5ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x768E 4820 bytes
font_01_sfnt_off000086d0.bin
4db4d53e18a779d9ea7c53b7ee1249b7368b1dd18df3b4321902c3a65c9548ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86D0 10208 bytes
font_02_sfnt_off0000a9e0.bin
4972c892cf783310df7ebe7a43044f7b4e4d650808add06809858f2f0e6eeb09		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA9E0 16448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.