Malicious PDF — malware analysis report

Static analysis result for SHA-256 87866db754bdfe66…

MALICIOUS

PDF

40.1 KB Created: 2020-08-29 04:24:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e6752d022f79f49ce004e84f95a87a37 SHA-1: db7e0a41b3791f9d7e8036bcb8bc28142136d982 SHA-256: 87866db754bdfe66771b6ab5a069e1f710f7ff7aede8204c58d9e6a5d6f93a7b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one specifically pointing to a known malicious redirector. The PDF_SEO_LINK_FARM heuristic indicates a large number of external links, suggesting an attempt to obscure the malicious destination or distribute malware through a link farm. The ML_NYX_PDF_MALICIOUS classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=you+trade+jp+morgan
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0462/3800/7456/files/jubajeguzawomiri.pdf
    • https://cdn.shopify.com/s/files/1/0430/8362/8708/files/english_speaking_course_in_urdu_100_days.pdf
    • https://cdn.shopify.com/s/files/1/0438/1048/8477/files/fundamentals_of_algorithmics_gilles_brassard.pdf
    • https://cdn.shopify.com/s/files/1/0451/3693/7125/files/list_of_2000s_anime.pdf
    • https://static.usrfiles.com/ugd/b8c837_bf91498ea48742079480099e6ea22503.pdf
    • https://static.usrfiles.com/ugd/b8c837_f998caf58f444d5c9ba04198824a294b.pdf
    • https://static.usrfiles.com/ugd/b8c837_8c092c741a184fd3b44695179e4c95d1.pdf
    • https://static.usrfiles.com/ugd/b8c837_b3d1e5b9c4dc424298829ba826c98630.pdf
    • https://cdn.shopify.com/s/files/1/0433/4521/5656/files/random_url_generator.pdf
    • https://cdn.shopify.com/s/files/1/0433/4803/3689/files/catalogo_ikea_2020_espaol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f68.bin
87e08364519df9149ea3a97b7584d1f3311c87206150b9588e95cf31194778b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F68 5104 bytes
font_01_sfnt_off000070bc.bin
c9e324aa0963a669bd6f198ac3e947ca307698e0f853a083dced959553c76b93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70BC 10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.