Malicious PDF — malware analysis report

Static analysis result for SHA-256 82af8c7a19ee51c6…

MALICIOUS

PDF

38.2 KB Created: 2020-11-09 02:15:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 2e13c3509c2288d14e8b1a007944e73c SHA-1: 1e3b3028ce07dfc5544c89bc8df260d8b11e1aa8 SHA-256: 82af8c7a19ee51c603f011cec5bcd5242e4d64e291735ac7ac2215afda9c51b8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one critical heuristic identifying it as a PDF redirector link pointing to a known malicious domain. The document body text, though heavily obfuscated, contains the string "You tv player application" and the malicious URL, suggesting a lure to download potentially unwanted or malicious software. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?keyword=you+tv+player+application In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/9115670a-f7e1-459f-9a2f-75cbf1ac23a4/wii_motion_plus_controller_for_sale.pdfIn PDF document text
    • https://pevepunak.files.wordpress.com/2020/11/26397039200.pdfIn PDF document text
    • https://s3.amazonaws.com/zokokamu/peoria_county_recorder_of_deeds_office.pdfIn PDF document text
    • https://tevarew.files.wordpress.com/2020/11/88608638079.pdfIn PDF document text
    • https://s3.amazonaws.com/nokiwovowus/71919173982.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e60603f-2027-4ad0-88c9-03f2580e9620/valkyrie_connect_apk_hack.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/86259bbb-fd6d-4878-b23d-ad39b2d76774/7854925704.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/40439552-ebec-4c30-af30-e3c900918060/window_plant_shelf_outdoor.pdfIn PDF document text
    • https://s3.amazonaws.com/pojojagajevuxa/vietnam_war_conditions_and_environment.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bff5b352-0623-4a95-9a7b-a1d538ae68ee/blackmart_apk_app_for_iphone.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/63a4c104-9a3f-48df-8fde-1bfdad8bb87a/gel_medium_transfer_to_canvas.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x59C0 4872 bytes
SHA-256: 3cfee2d0bfe4ec1e5a436c3aa451f5c9c515e33de22668d4ccf313453a20cc45
font_01_sfnt_off00006a73.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A73 10028 bytes
SHA-256: 320441c9d90d895487db2cf67d69be0ad183fb8a2cf35ea8e1f1712d2588e93c