Malicious PDF — malware analysis report

Static analysis result for SHA-256 75465913a7c7fb61…

MALICIOUS

PDF

48.9 KB Created: 2020-08-07 21:34:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2393caa2300b097e0f6eee4172a9d749 SHA-1: f09eb782a02e2a676120b14e73d2f61213602f92 SHA-256: 75465913a7c7fb61eabdbba977fc70226dfa2ccbe00e7eb098e48796641408ed
254 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF contains an embedded JavaScript payload that likely attempts to exploit vulnerabilities or redirect the user. The document body and embedded scripts contain numerous links, including a malicious redirector at 'https://ttraff.com/pify?keyword=myxedema+coma+treatment+guidelines+pdf', which leads to a farm of other PDF documents. This suggests a campaign to distribute malicious content or phish for information.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=myxedema+coma+treatment+guidelines+pdf
    • http://files.buckmotorsports.com/uploads/1/3/1/1/131164488/3362656.pdf
    • http://files.ericmccarron.com/uploads/1/3/1/1/131163736/5150701.pdf
    • http://busol.knoxvillebodywrap.com/uploads/1/3/0/7/130738799/2427534.pdf
    • http://files.coastguardball.org/uploads/1/3/1/3/131380292/6626359.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/1568204463.pdf
    • https://cdn.shopify.com/s/files/1/0428/1021/2519/files/65823448336.pdf
    • https://cdn.shopify.com/s/files/1/0438/2310/4160/files/bunetaxofofogugu.pdf
    • https://cdn.shopify.com/s/files/1/0430/5541/5445/files/cambridge_english_first_fce_official_past_papers.pdf
    • https://cdn.shopify.com/s/files/1/0437/1247/9382/files/94772304977.pdf
    • https://cdn.shopify.com/s/files/1/0437/6195/9069/files/78006173400.pdf
    • https://cdn.shopify.com/s/files/1/0435/8494/6333/files/automate_the_boring_stuff_with_powershell.pdf
    • https://cdn.shopify.com/s/files/1/0444/6837/1623/files/rationalize_radicals.pdf
    • https://cdn.shopify.com/s/files/1/0435/7616/4515/files/p_square_beautiful_onyiye.pdf
    • https://cdn.shopify.com/s/files/1/0431/1734/6965/files/jubanose.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1/0444/6837/1
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00002f1a.bin
dd01417440aa1ab6e5f58b55bfabd2f878c37dfd74964669e666101ea9130d58		 pdf-embedded-script PDF decompressed stream script payload at offset 0x2F1A 50026 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
font_00_sfnt_off00007efe.bin
b82f88dc2ab21ecb78a71eaf2c5c9e749a3f3d7a6b0b4d66b3bcdd97942f0193		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EFE 5652 bytes
font_01_sfnt_off00009241.bin
b6fc94661e5f13e22cf4839afa51f5fde5ccf8fcfbe0553f124a22a9e3879fed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9241 10620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.