Malicious PDF — malware analysis report

Static analysis result for SHA-256 818003062233c329…

MALICIOUS

PDF

54.7 KB Created: 2020-07-25 16:45:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0f56a022f83b1a1f5cca81d1db0d1367 SHA-1: 01e6cf4d0587bfda74281c2037b3feb0ad3a2383 SHA-256: 818003062233c329c8d4acaa51dec6e121fdac6687fc29db3ea0f2c32e4c6955
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to Shopify domains hosting other PDFs, suggesting a link farm or SEO poisoning tactic. One critical heuristic indicates a link to a known malicious redirector. The document body, though heavily obfuscated, contains keywords related to the embedded URLs, reinforcing the lure. The primary malicious IOC is the redirector URL, which is likely the entry point to a further malicious stage.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=country%20and%20capital%20in%20telugu%20pdf
    • http://files.lithgowagedcareltd.com/uploads/1/3/0/7/130775116/gevelugotuvano-setavuwefiwi-deloxiwafud-nuzepenexelapa.pdf
    • http://files.undergroundcomedyfest.com/uploads/1/3/0/8/130814234/582a1a69.pdf
    • http://files.recoverycafeindy.org/uploads/1/3/0/8/130813413/32a8e806.pdf
    • http://files.gracenstrength.com/uploads/1/3/0/8/130814127/b056c23a8289c59.pdf
    • http://files.compassionatelife.net/uploads/1/3/1/0/131070149/keputokodubavemit.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/xuxovozukirofavekejob.pdf
    • https://cdn.shopify.com/s/files/1/0431/5506/2948/files/42861215999.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/gadawatozuwagujezudoru.pdf
    • https://cdn.shopify.com/s/files/1/0429/3656/5923/files/jezizoteloratutapeg.pdf
    • https://cdn.shopify.com/s/files/1/0428/6509/8908/files/mirefizexi.pdf
    • https://cdn.shopify.com/s/files/1/0430/0580/4698/files/86864784718.pdf
    • https://cdn.shopify.com/s/files/1/0429/1035/1513/files/sogijujij.pdf
    • https://cdn.shopify.com/s/files/1/0430/4207/8877/files/gedabigakuxivi.pdf
    • https://cdn.shopify.com/s/files/1/0432/2518/6466/files/52535315144.pdf
    • https://cdn.shopify.com/s/files/1/0432/9455/6324/files/98754847267.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/ligumugazawebamupewav.pdf
    • https://cdn.shopify.com/s/files/1/0431/4795/2292/files/36830881903.pdf
    • https://cdn.shopify.com/s/files/1/0429/8850/3203/files/fafexesimagenoza.pdf
    • https://cdn.shopify.com/s/files/1/0431/1102/2756/files/73409593972.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000799c.bin
52ab3e769f4726194948d93a8ac1710c0cbd7dff2fd54ff7079987e9b59113a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x799C 5152 bytes
font_01_sfnt_off00008b3f.bin
72dc5a6ca4a5f097d48e1a0abdda47e7db48fc854f191c1dd3a8498734da29cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B3F 4300 bytes
font_02_sfnt_off00009b5b.bin
11dd1b57408ed9f11d31960c79c3826d9c1b6247d0f0d0c33cc63a77410b65e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B5B 10852 bytes
font_03_sfnt_off0000bf57.bin
ee8afa51e50492bdf4d25b6b01818d2021856a0eb5271b70f188e6d094f25891		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF57 2832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.