Malicious PDF — malware analysis report

Static analysis result for SHA-256 721ad36be553eb13…

MALICIOUS

PDF

42.9 KB Created: 2020-09-16 21:55:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01d15a107628bb6281a29b97c615c58a SHA-1: dca542cdecab4fc70a51cace4b4c18cc7055e4cf SHA-256: 721ad36be553eb136ba74008ff03e7506a7a26c9bdc93cd88a870e4c28b76e82
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded links, many of which point to external PDF documents hosted on disposable domains. One of the primary links directs to a known malicious redirector infrastructure, suggesting a phishing or malware distribution attempt. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=palazzo+rucellai+ap+art+history
    • http://bufulutoj.dobiesbydullea.com/uploads/1/3/1/4/131454106/04e0db4.pdf
    • http://files.saltspringeasterarttour.com/uploads/1/3/0/7/130775017/c0c0996ae4839a8.pdf
    • http://fubunutad.phantom-quartz.com/uploads/1/3/0/8/130874380/2163059.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0441/2679/7976/files/petevetosatoxituz.pdf
    • https://cdn.shopify.com/s/files/1/0461/6650/7672/files/rimuwujimesapaw.pdf
    • https://cdn.shopify.com/s/files/1/0437/0428/7383/files/93986137891.pdf
    • https://cdn.shopify.com/s/files/1/0431/5850/3573/files/zowezerujatofida.pdf
    • https://cdn.shopify.com/s/files/1/0428/3400/2086/files/wondershare_mobile_transfer_free_full_version.pdf
    • https://23dd05f9-6dde-432e-8d5c-a9e3b6e80be7.filesusr.com/ugd/3bcfef_130807f3df0c4e6ba3269ce4578968f7.pdf?index=true
    • https://97d2cdaa-8660-4b43-b9bf-bf62108bb6a2.filesusr.com/ugd/e50c99_cf02df8057ea48ebb115262c9f50ca4e.pdf?index=true
    • https://2cdc0cb1-2bb9-41b0-8309-a0380b4b8b7c.filesusr.com/ugd/ac8c68_dd20c454b3694f6194d7eadcd3e5e724.pdf?index=true
    • https://470ecfe9-077e-46eb-a97b-d0161cb2142e.filesusr.com/ugd/3801ff_24c442dc1fab4ba493600098cc0eaf35.pdf?index=true
    • https://7a461aa6-de8e-4238-9056-c66bf424fbee.filesusr.com/ugd/b56239_ad59eac179db47dc81844d84c0f4cf58.pdf?index=true
    • https://0a2812a3-cbad-4ce6-9a65-b415bdb4cdbb.filesusr.com/ugd/a2de88_91f58f61bc2d4fcb8f9b5b55db6312fc.pdf?index=true
    • https://76161fb8-02b5-494f-901f-40786805b386.filesusr.com/ugd/3283b0_4dea5fab7d0d4892aed3fcb36818d053.pdf?index=true
    • https://1d41803c-4cb4-4a67-88df-bf0c78897834.filesusr.com/ugd/724bd4_a049e751201d4656bc74922c90783e62.pdf?index=true
    • https://4446b154-476f-488f-8f87-81096e721726.filesusr.com/ugd/696117_1846f7f928b54ee9b189cd9185d45243.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a6d.bin
08ecea0842eb84485466ac874923f2d5df84d0bb5d3524affae2e98ce01a21ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A6D 5172 bytes
font_01_sfnt_off00007c0e.bin
7bc1e587c68306a73b33c2b67828a9ffd18ee81a831c652b015e00a17641e611		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C0E 10112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.