Malicious PDF — malware analysis report

Static analysis result for SHA-256 76529a0d7fd6d65d…

MALICIOUS

PDF

43.7 KB Created: 2020-08-23 04:09:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0ed04344736edca8ed8e9512bc633e20 SHA-1: eb1571b2f2d134a80d2b88b52074df7469a480c4 SHA-256: 76529a0d7fd6d65db5d66be450896ec736949c616af20c5055e873380382add4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded links, many of which point to external PDFs hosted on various domains. One of these links, 'https://ttraff.ru/pify?keyword=april+2019+act+answer+explanations', is flagged as a known malicious redirector. The document's content, including metadata and embedded text, suggests a lure to disguise the malicious link farm. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=april+2019+act+answer+explanations
    • http://susazotik.baptistcenterchurch.org/uploads/1/3/1/8/131871622/petejebebonekebagun.pdf
    • http://files.virginianimarkoh.net/uploads/1/3/2/7/132740541/salamoduje-pejesonuvaka-tidutisazowonu-kulutuker.pdf
    • http://wixexe.trupbsc.ca/uploads/1/3/1/0/131069869/4468639.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0432/5235/1144/files/free_career_astrology_report_2019.pdf
    • https://cdn.shopify.com/s/files/1/0438/1261/8402/files/durutimevakagizojabawuvep.pdf
    • https://cdn.shopify.com/s/files/1/0437/9561/1810/files/dropbox_pro_apk_full.pdf
    • https://cdn.shopify.com/s/files/1/0433/2873/3352/files/gobufosijurarimafikewotu.pdf
    • https://cdn.shopify.com/s/files/1/0438/3493/3408/files/39071768491.pdf
    • https://cdn.shopify.com/s/files/1/0444/2708/3943/files/car_bill_of_sale_texas.pdf
    • https://cdn.shopify.com/s/files/1/0429/8860/1503/files/41997144317.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/20726054751.pdf
    • https://cdn.shopify.com/s/files/1/0440/5320/1046/files/93169470799.pdf
    • https://cdn.shopify.com/s/files/1/0437/6464/6049/files/kenmore_washer_troubleshooting_codes.pdf
    • https://cdn.shopify.com/s/files/1/0434/0196/9820/files/gmo_2020.pdf
    • https://cdn.shopify.com/s/files/1/0431/7193/8453/files/jedanexubapasonurimo.pdf
    • https://cdn.shopify.com/s/files/1/0433/7601/7559/files/can_t_hold_us_lyrics_macklemore.pdf
    • https://cdn.shopify.com/s/files/1/0433/8266/9464/files/97761332721.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e11.bin
493abf54bd6797866ef1a1b32ba4a274dc5c4a060eaa9389a548c1d49b1360a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E11 5348 bytes
font_01_sfnt_off0000704c.bin
3234a4efd06cb0a5dbeecf50e8e7b7d3ef61a33de1bc3b4b103f60a9d717fc1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x704C 10432 bytes
font_02_sfnt_off000093c0.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93C0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.