Malicious PDF — malware analysis report

Static analysis result for SHA-256 79889b564d1b8c1a…

MALICIOUS

PDF

45.2 KB Created: 2020-08-05 23:08:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 79b3c1c188b8b1de5bd83f0e22b5feab SHA-1: d8fc7b46e31fd400a9854a076e8ca55216ff0982 SHA-256: 79889b564d1b8c1ac9b175dbe8c0c6c3aeea03226682acb0c95e849b6322e993
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF document contains embedded links that redirect to malicious infrastructure, as indicated by the 'PDF_MALICIOUS_REDIRECTOR_LINK' heuristic. The document body and heuristics suggest a lure related to invoices or payments, aiming to trick the user into clicking the malicious link. The presence of multiple PDF links also points to a link farm strategy. No scripts were extracted, but the primary attack vector appears to be redirection to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=einfache+buchungss%25C3%25A4tze+%25C3%25BCbungen+pdf
    • http://tabet.ae.ariatlandingpage.com/uploads/1/3/0/8/130874197/7236636.pdf
    • http://files.mastersextoys.com/uploads/1/3/2/6/132682585/sofebusobefeg-ponukiwofopum.pdf
    • http://files.firstbaptistwheatfield.com/uploads/1/3/2/7/132712209/1d35ff9.pdf
    • http://files.rachelcookold.com/uploads/1/3/2/3/132302859/delimit_gegolazumokisa.pdf
    • http://roweta.centerformarxisteducation.org/uploads/1/3/1/3/131384424/7039684.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0434/0911/3253/files/tazarivesijopituvik.pdf
    • https://cdn.shopify.com/s/files/1/0428/4357/0343/files/2767398053.pdf
    • https://cdn.shopify.com/s/files/1/0428/4160/4263/files/nugetimimafipo.pdf
    • https://cdn.shopify.com/s/files/1/0430/8844/5589/files/vomiting_child.pdf
    • https://cdn.shopify.com/s/files/1/0435/2717/6344/files/buwewes.pdf
    • https://cdn.shopify.com/s/files/1/0428/2135/3635/files/jowuduwokuludesobokager.pdf
    • https://cdn.shopify.com/s/files/1/0428/1863/3894/files/walexexorig.pdf
    • https://cdn.shopify.com/s/files/1/0431/3343/6055/files/95802265628.pdf
    • https://cdn.shopify.com/s/files/1/0434/9168/8610/files/76521331080.pdf
    • https://cdn.shopify.com/s/files/1/0429/4914/8828/files/romasuteradufumi.pdf
    • https://cdn.shopify.com/s/files/1/0431/9464/6689/files/94925729981.pdf
    • https://cdn.shopify.com/s/files/1/0431/3730/2679/files/88935318863.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dde.bin
c67693974dbb0b8dd959a6e96bf0af4da65dc3a7fccf46def0aa738d3b2fd971		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DDE 5792 bytes
font_01_sfnt_off000080cf.bin
89a09dc34d3a3e0d8562f190f740d5481bfb51f14b96298f1402cd200151e4a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80CF 11236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.