Malicious PDF — malware analysis report

Static analysis result for SHA-256 72c7b7a51ca99b28…

MALICIOUS

PDF

45.1 KB Created: 2020-08-30 04:10:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fa3ebe00ede66601f2e05af329e3a2ef SHA-1: 2c1352ec4d4f48162a2030d81bcc7bc254f9daea SHA-256: 72c7b7a51ca99b283c74f7234db5fad0ffe66fe4520ec97ed1a63d632fc358f2
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a link to a known malicious redirector infrastructure, disguised with a 'steve harvey books' keyword, and is flagged as an advance-fee scam lure. The document body, though heavily obfuscated, also contains this URL and numerous other links to PDF files, suggesting a link farm or redirection mechanism. The ML classifier strongly indicates maliciousness, and the presence of embedded URLs points towards a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=steve+harvey+books
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/b8c837_89144cee0e56416bb73b154dfc3b7f77.pdf
    • https://static.usrfiles.com/ugd/b8c837_19e102540730479fa24403e4e216ae7d.pdf
    • https://static.usrfiles.com/ugd/1c90dc_5949914479134c1bbd5f111e42ec22a4.pdf
    • https://static.usrfiles.com/ugd/9c0842_6e0637c643794199acc4a64a9dbcdb9e.pdf
    • https://static.usrfiles.com/ugd/6846fe_8cb6c4836a11437daddb5f0f3d3e1046.pdf
    • https://static.usrfiles.com/ugd/b8c837_3635a1af29d649b2bb88033299c6ccbd.pdf
    • https://static.usrfiles.com/ugd/b8c837_09ff9eee10534719a34530a46cfcff34.pdf
    • https://cdn.shopify.com/s/files/1/0428/0687/0183/files/20248770969.pdf
    • https://cdn.shopify.com/s/files/1/0427/5906/1670/files/44987719893.pdf
    • https://cdn.shopify.com/s/files/1/0432/7286/3907/files/how_to_change_home_page_on_firefox.pdf
    • https://cdn.shopify.com/s/files/1/0439/7678/6078/files/47957178393.pdf
    • https://static.usrfiles.com/ugd/921909_a9a4363e5caf419e9d459df7b8e3f027.pdf
    • https://static.usrfiles.com/ugd/824332_b30d48feaee24cbc8d019323bf438a09.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006842.bin
8162cd4e9607bedc41987152db9172675b579470e8e212729d5a5ff14a53fde7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6842 1804 bytes
font_01_sfnt_off0000711c.bin
f31de6b51e327e70898c545c201c8fe12872ef6fea209e1bed238ee083ea0bdc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x711C 5212 bytes
font_02_sfnt_off000082d7.bin
b81734754707b1c31abcf5dcac89ade3869c21928a4be5c750696f9d7049b1cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82D7 10956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.