Malicious PDF — malware analysis report

Static analysis result for SHA-256 7275e505855b9bc4…

MALICIOUS

PDF

121.7 KB Created: 2020-07-28 15:52:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7cbd15507238a73890c2f6d9728eec1c SHA-1: 469738cf8b969bbb8e1cc0610779afeae0d45ef3 SHA-256: 7275e505855b9bc4fa84642d3307b034a4689725dc2f3c8b60449b5fa10935ba
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, with at least one pointing to known malicious redirector infrastructure. The ML classifier also strongly indicated maliciousness. The document body appears to be obfuscated or corrupted, preventing a clear understanding of its specific lure, but the presence of numerous external links suggests a redirection-based attack, possibly for phishing or SEO poisoning.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=anime+slayer++2.+2.+4
    • http://files.susieunderwood.com/uploads/1/3/1/4/131455337/8146543.pdf
    • http://files.frenchquartersalon.com/uploads/1/3/1/1/131164556/d8dacf.pdf
    • http://files.desertbeagle.com.au/uploads/1/3/1/8/131871984/fatas.pdf
    • http://files.valeriesaltacupuncture.co.uk/uploads/1/3/1/0/131070535/1455029.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0435/3504/0664/files/najulamob.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/73768917897.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/669297692.pdf
    • https://cdn.shopify.com/s/files/1/0434/7772/9430/files/minepovavevikax.pdf
    • https://cdn.shopify.com/s/files/1/0434/0557/4309/files/tepaxawederunuloturogasa.pdf
    • https://cdn.shopify.com/s/files/1/0437/0300/9430/files/waledokidoluzaki.pdf
    • https://cdn.shopify.com/s/files/1/0430/4273/4237/files/zujigofopewule.pdf
    • https://cdn.shopify.com/s/files/1/0431/6299/2795/files/6641394715.pdf
    • https://cdn.shopify.com/s/files/1/0439/3923/3960/files/nofepoliwefus.pdf
    • https://cdn.shopify.com/s/files/1/0430/9850/5377/files/fosapegufowuzeribumin.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off0001ac10.bin
27981304d7dcfaea47e303a43a78594662e81863bcd73001763ed235af319c39		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1AC10 24776 bytes
font_00_sfnt_off00010879.bin
44f052dc8b583343c6905b7258ff873f0f049d95dac9f7c5c235e8722c037839		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10879 32072 bytes
font_01_sfnt_off00016c15.bin
77ab47f75db036f4e479329cab18ea18d9983cadb3f92d43a9844666bff4fdf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16C15 4772 bytes
font_02_sfnt_off00017c1a.bin
f07e40d5ee17d82e1a10666c4d39729a8072f8bab50969485eaca7664f512947		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C1A 15392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.