Malicious PDF — malware analysis report

Static analysis result for SHA-256 83e7cb18eed05995…

MALICIOUS

PDF

39.5 KB Created: 2020-08-10 02:53:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc89f26be05c135dea525f59d654603d SHA-1: 46228d2b1181a3eb81c0b8686d52d943f1d6fd28 SHA-256: 83e7cb18eed05995a65d6fd0a5abeb99744405c10a323aaf074862259f08ba75
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a lure related to 'Canara bank net banking application form' and includes a link to a known malicious redirector. The document body, though partially corrupted, contains embedded URLs that are part of a link farm, suggesting an attempt to manipulate search engine results or distribute malicious content. The presence of multiple embedded URLs and the critical heuristic firing for a malicious redirector strongly indicate a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=canara+bank+net+banking+application+form+pdf
    • http://files.magnumconcretecorp.com/uploads/1/3/1/3/131398036/zadujimozuzegasodon.pdf
    • http://zirele.antonio-oliveirafilho.com/uploads/1/3/1/6/131606552/pifawufamuvufopu.pdf
    • http://monotu.theribbonloft.com/uploads/1/3/1/1/131164243/4575660.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0439/3651/4216/files/13821397943.pdf
    • https://cdn.shopify.com/s/files/1/0437/8794/4094/files/xipepikepelenu.pdf
    • https://cdn.shopify.com/s/files/1/0433/4754/2175/files/keyboard_input_java.pdf
    • https://cdn.shopify.com/s/files/1/0428/2938/1791/files/xutofojumopaponujidero.pdf
    • https://cdn.shopify.com/s/files/1/0439/7717/9294/files/berabejufavogojo.pdf
    • https://cdn.shopify.com/s/files/1/0428/5700/5215/files/wibadoturep.pdf
    • https://cdn.shopify.com/s/files/1/0435/4395/3567/files/rojifigukigofebiraxep.pdf
    • https://cdn.shopify.com/s/files/1/0434/0944/0935/files/faringoamigdalitis_bacteriana_pediatria.pdf
    • https://cdn.shopify.com/s/files/1/0430/5308/8919/files/autel_evo_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/6657/2441/files/el_pollo_loco_menu.pdf
    • https://cdn.shopify.com/s/files/1/0432/8259/6000/files/75377224627.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c6b.bin
60256da84d141940813fcba5dc543f87d5719b56651fb9581ae472824a075288		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C6B 5408 bytes
font_01_sfnt_off00006eb9.bin
79698afb0e6d9b3f6b1fc2fb60e073968a3d18ad51f5f7d313ebcf08989b78c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EB9 9952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.