Malicious PDF — malware analysis report

Static analysis result for SHA-256 70be0a376bf37ccb…

MALICIOUS

PDF

57.5 KB Created: 2020-08-24 11:40:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 998862dd222be46ce0df54e1df65b888 SHA-1: 0c42c65e8639edd553fa250dd6788bcda70bd647 SHA-256: 70be0a376bf37ccb47c37fc0609cb088384e98cdbbb0305efc43045d69b5b81d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded links, with one identified as a malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting an attempt to drive traffic to various sites. The ML classifier also strongly flagged this PDF as malicious. The primary malicious IOC is the redirector URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=que+es+filiforme+en+medicina
    • http://lazonefe.milagrodesignsantafe.com/uploads/1/3/1/6/131637419/5497978.pdf
    • http://tiguluju.nextbillionventures.com/uploads/1/3/1/3/131384609/4740784.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0434/1792/7837/files/6952897311.pdf
    • https://cdn.shopify.com/s/files/1/0462/6468/0605/files/colour_coated_roofing_sheet_making_machine.pdf
    • https://cdn.shopify.com/s/files/1/0435/9382/6463/files/stihl_ms_180_service_manual.pdf
    • https://cdn.shopify.com/s/files/1/0437/0975/9641/files/nfl_teams_by_division.pdf
    • https://cdn.shopify.com/s/files/1/0431/7986/8320/files/54399238765.pdf
    • https://cdn.shopify.com/s/files/1/0433/6238/6079/files/college_algebra_6th_edition_dugopolski.pdf
    • https://cdn.shopify.com/s/files/1/0432/5851/1522/files/wojunebuwogo.pdf
    • https://cdn.shopify.com/s/files/1/0438/9981/4040/files/solving_limits_algebraically.pdf
    • https://cdn.shopify.com/s/files/1/0431/6377/9240/files/72695924976.pdf
    • https://cdn.shopify.com/s/files/1/0432/1758/4283/files/likitezomokitaxuk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000052ad.bin
837a753b31e2b303fb8c72b2f77d35f7ba810539609295bc72659f7cf4b63312		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52AD 4112 bytes
font_01_sfnt_off00006141.bin
edcf6183e7ec9f8e14e4336584e62b1b10af9e7f08f3c449dbeee2d7634e5ae2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6141 5228 bytes
font_02_sfnt_off000072e8.bin
f8c094d218658d6af2ba17160e610d63b48a61de6bd1ea908990cb6d7d0f7067		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72E8 3268 bytes
font_03_sfnt_off00007fd7.bin
bd4339aea9959f3c70ba8899fb212cb039ffa7f560965ef023b5fcec785d1441		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FD7 4324 bytes
font_04_sfnt_off00008db2.bin
9f33bd4706ec21f7b87b93821e56f80a22a1acae1e018471756632441f7f724a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DB2 10640 bytes
font_05_sfnt_off0000b0ae.bin
5b95ffb3556d01d2af66370249ec60dd07590b88951194da29ec47f8e7ca5ac7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB0AE 16708 bytes
font_06_sfnt_off0000c82a.bin
af342db91665a4d826d9a3534a1ccd25063582d6700c2382c71bdce8c0cbe1cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC82A 3500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.