Malicious PDF — malware analysis report

Static analysis result for SHA-256 774e28ccc5eba2fb…

MALICIOUS

PDF

55.3 KB Created: 2020-10-27 21:49:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f00621e9ac7836e36497a21ddfa666c8 SHA-1: 75ef1ef40fdf8f23c505fdfdb854c644453bf3c3 SHA-256: 774e28ccc5eba2fb1e38dbc01349374f4f70d73dbea3542e0d789384d76e514b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://gettraff.ru/strik?keyword=mpow+flame+bluetooth+headphones+waterproof+ipx7+instructions'. Additionally, the PDF is flagged as a link farm, containing numerous external links, many of which are to Shopify-hosted PDFs. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, appears to contain the same malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=mpow+flame+bluetooth+headphones+waterproof+ipx7+instructions
    • https://meporolokiso.weebly.com/uploads/1/3/2/6/132681401/jemapene-pajemopiw-tenorunep.pdf
    • https://nafuxiba.weebly.com/uploads/1/3/4/0/134097784/efc52bec4083af.pdf
    • https://winomumamo.weebly.com/uploads/1/3/1/0/131070375/gekatefobawo.pdf
    • https://mitixofixomu.weebly.com/uploads/1/3/4/3/134333727/d4734c198eec25.pdf
    • https://zitidatuviwe.weebly.com/uploads/1/3/4/4/134493200/demir.pdf
    • https://kuromazu.weebly.com/uploads/1/3/2/6/132695519/texujoko-webudutasonorok.pdf
    • https://cdn-cms.f-static.net/uploads/4388617/normal_5f8e601a8addf.pdf
    • https://cdn-cms.f-static.net/uploads/4379032/normal_5f93986d343f3.pdf
    • https://cdn-cms.f-static.net/uploads/4365546/normal_5f942159d02fa.pdf
    • https://cdn-cms.f-static.net/uploads/4407316/normal_5f94841e39236.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0482/3279/2216/files/stickman_hero_2_mod.pdf
    • https://cdn.shopify.com/s/files/1/0495/6307/4712/files/nopif.pdf
    • https://cdn.shopify.com/s/files/1/0500/9424/4008/files/air_hockey_unblocked_2_player.pdf
    • https://cdn.shopify.com/s/files/1/0496/6789/9551/files/33090981811.pdf
    • https://s3.amazonaws.com/zetare/499515698.pdf
    • https://cdn.shopify.com/s/files/1/0437/6035/3429/files/tomapetebumobi.pdf
    • https://cdn.shopify.com/s/files/1/0484/9519/8363/files/lowuxudax.pdf
    • https://cdn.shopify.com/s/files/1/0501/7757/3043/files/kudoxi.pdf
    • https://cdn.shopify.com/s/files/1/0485/1620/2651/files/dd_summoner_class_5e.pdf
    • https://cdn.shopify.com/s/files/1/0476/9316/8806/files/11759001344.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008124.bin
b7e7fb229de38438b7e583a7d0d69c96a54d636a19ac76cd5a0c4ebc4bae4f49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8124 5780 bytes
font_01_sfnt_off000094cd.bin
ff98e30f5de2b834737b28e9fa9ee0e908bdf95fe1a0ec44d8c9c1bbf1c882ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94CD 10956 bytes
font_02_sfnt_off0000b9ed.bin
b2ddecaff7e2361bf51021b35f9c014659943b600c4f466cb4656cea9e83b80e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9ED 16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.