Malicious PDF — malware analysis report

Static analysis result for SHA-256 727a6ac41575078c…

MALICIOUS

PDF

122.6 KB Created: 2020-08-04 01:28:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83380efa9fe215f438284498ca151bf5 SHA-1: 61f7a49652beb22fbe5e85b5f1e2279bab9859f2 SHA-256: 727a6ac41575078c8767e84458083f0e8a14b770aa610798ac3f540c58de0839
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains a URL that appears to be a lure for 'navy jobs 2020 advertisement pdf'. The ML classifier strongly indicates maliciousness, and the presence of a malicious redirector confirms the intent to lead users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=navy+jobs+2020+advertisement+pdf
    • http://files.timhamelprofessionalmassage.com/uploads/1/3/2/6/132681233/bfa1b3b5e72c4.pdf
    • http://files.jessicaadamson.com/uploads/1/3/0/7/130775379/paxapebijuxex_nabuputafa_toworukupa_vumovenuf.pdf
    • http://files.housefitstl.com/uploads/1/3/0/9/130969474/42dd10f153018.pdf
    • http://files.artworksvass.com/uploads/1/3/1/0/131070604/wifarunudegonazowuxi.pdf
    • http://files.johnlinneball.com/uploads/1/3/1/4/131406558/3649633.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0429/5049/2316/files/wawimumilixiboravibezoluw.pdf
    • https://cdn.shopify.com/s/files/1/0430/5901/9927/files/34970646113.pdf
    • https://cdn.shopify.com/s/files/1/0431/9356/5342/files/gorerawimigawozunap.pdf
    • https://cdn.shopify.com/s/files/1/0438/8470/7992/files/network_topology_ppt.pdf
    • https://cdn.shopify.com/s/files/1/0432/2122/1533/files/49174573418.pdf
    • https://cdn.shopify.com/s/files/1/0439/5306/2046/files/farove.pdf
    • https://cdn.shopify.com/s/files/1/0434/2926/5574/files/64897604894.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/41841620016.pdf
    • https://cdn.shopify.com/s/files/1/0434/8549/5453/files/sumoxuxipexuwezadafalus.pdf
    • https://cdn.shopify.com/s/files/1/0430/0118/4417/files/makemexirekagasijizuxum.pdf
    • https://cdn.shopify.com/s/files/1/0430/0495/2735/files/fewupi.pdf
    • https://cdn.shopify.com/s/files/1/0430/1206/3391/files/fuwogizifarijuroribefav.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018073.bin
6cdaf1b149449da2f934b8f7f635123d2ba19ce5e0b4b1cc0b3574bad8ee6173		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18073 5564 bytes
font_01_sfnt_off0001934b.bin
c1f76e790abed3cddd3abdbe1c4904ffe8666486949e30252d66ddecb863d155		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1934B 14512 bytes
font_02_sfnt_off0001c08f.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C08F 4324 bytes
font_03_sfnt_off0001ce8e.bin
81dbc41fae77f2f3d5671fc69fbdb5bb5155bf5a48a9fb0f5473809b9802d2cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CE8E 3532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.