Malicious PDF — malware analysis report

Static analysis result for SHA-256 856684b4ca81ece1…

MALICIOUS

PDF

54.9 KB Created: 2020-08-01 07:18:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63a0dd97f5c7d2d4d6f89c7320d7f8af SHA-1: b670a39570a7b1e77e06d816123f8cbe6d71e510 SHA-256: 856684b4ca81ece199d4f99957b8f6f61e082b22b56207107e02eb2aef1378ad
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass of external links, including one pointing to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to 'Telegram spam bot' and embedded URLs, suggesting a lure to malicious content. The presence of numerous PDF links, many hosted on Shopify, indicates a link farm designed to distribute malicious content or engage in SEO manipulation for phishing purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=telegram+spam+bot
    • http://files.klodtap.com/uploads/1/3/0/8/130814254/4818312.pdf
    • http://files.danathebird.com/uploads/1/3/2/7/132712508/2067770.pdf
    • http://files.whiskeybenttradingco.com/uploads/1/3/0/7/130740175/wexupi_sufolulobewid.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/5794/6522/files/dalepe.pdf
    • https://cdn.shopify.com/s/files/1/0433/3551/6318/files/50189059211.pdf
    • https://cdn.shopify.com/s/files/1/0430/0197/0837/files/detedotekilapuli.pdf
    • https://cdn.shopify.com/s/files/1/0431/4356/1376/files/winanokawakixapinimima.pdf
    • https://cdn.shopify.com/s/files/1/0430/4027/6642/files/70535820505.pdf
    • https://cdn.shopify.com/s/files/1/0427/9179/6902/files/14335635766.pdf
    • https://cdn.shopify.com/s/files/1/0431/5525/9560/files/mimadarofam.pdf
    • https://cdn.shopify.com/s/files/1/0431/7826/2692/files/39225339280.pdf
    • https://cdn.shopify.com/s/files/1/0433/5039/2984/files/30677569640.pdf
    • https://cdn.shopify.com/s/files/1/0428/0942/6079/files/70744301236.pdf
    • https://cdn.shopify.com/s/files/1/0431/8537/3333/files/wotupukarajinuwobin.pdf
    • https://cdn.shopify.com/s/files/1/0432/8793/7179/files/87986622379.pdf
    • https://cdn.shopify.com/s/files/1/0439/3140/2395/files/zudigalomojir.pdf
    • https://cdn.shopify.com/s/files/1/0433/3410/7286/files/27169652571.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007247.bin
5cbdde9b91d3fff5a0fba8022bf365973c426bde19343f8a50cfeb4ca9ee38c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7247 5228 bytes
font_01_sfnt_off000083ee.bin
be4a4ae72981eefee292fc35634f8bc127c872c95327cdd41f673bb5066241e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83EE 3348 bytes
font_02_sfnt_off0000912a.bin
76e1f274d935fbc5bd83e0e237b95d35b20f756af1aae5ea4279a9bca5132aeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x912A 12144 bytes
font_03_sfnt_off0000b898.bin
abc1f89024844201b52cb14487611dbdf17c738e0f81c55c6c9b301f405a1857		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB898 16296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.