Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e9bd186c26300d0…

MALICIOUS

PDF

41.6 KB Created: 2020-10-08 04:18:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: 98b869000b15b9bfe16a68deb8115b02 SHA-1: ab77a7760d4fd0fb36ddb05331acd1d85470b78c SHA-256: 9e9bd186c26300d064010861d50d750ab8d2a12742cf17d61d8d40624938d180
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file contains an embedded script that redirects to a known malicious URL, likely to download a second-stage payload. The ML classifier also flagged this PDF as malicious with high confidence. The embedded script itself does not contain executable code but rather metadata, however, the PDF structure and heuristics indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=windows+powershell+cookbook+pdf In PDF document text
    • https://site-1036956.mozfiles.com/files/1036956/bitubopifakewexakukuror.pdfIn PDF document text
    • https://site-1042737.mozfiles.com/files/1042737/butuvavitujadipowidomiso.pdfIn PDF document text
    • https://site-1036956.mozfiles.com/files/1036956/pupijafebotuwerun.pdfIn PDF document text
    • http://files.dia-healthcare.com/uploads/1/3/2/6/132682813/5233548.pdfIn PDF document text
    • http://soxas.scotholme.com/uploads/1/3/0/7/130739385/b309fe52a28e71.pdfIn PDF document text
    • http://files.veteranshealthfoundation.com/uploads/1/3/0/7/130738812/nufodizedojob.pdfIn PDF document text
    • http://dopabota.reinmotivation.com/uploads/1/3/0/8/130814088/dupebozidulux-zerabefi-sobuxuruzutor.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/6956a962-bb14-466b-9553-2f35dad04937/befod.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/60f73882-0acc-4e6c-82d4-5f0524e6a68b/taxigemadik.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/53bab525-374c-46e0-8ab7-ce234c406e36/wunexapelidopujej.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000a11f.bin pdf-embedded-script PDF raw stream script payload at offset 0xA11F 1581 bytes
SHA-256: 40abff2427f9212ec25496c0e73de2f0345629399a951b4ca0d1037ef889127d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Pdftk'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>

 <rdf:Description rdf:about=''
  xmlns:dc='http://purl.org/dc/elements/1.1/'
  dc:format='application/pdf'>
  <dc:creator>
   <rdf:Seq>
    <rdf:li>Pibipo Guyokajonu</rdf:li>
   </rdf:Seq>
  </dc:creator>
  <dc:description>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>Windows powershell cookbook pdf. Title Windows PowerShell Cookbook: A Complete Script Guide by Microsoft Team Shell Author (s) Lee Ho</rdf:li>
   </rdf:Alt>
  </dc:description>
  <dc:subject>
   <rdf:Bag>
    <rdf:li>Windows powershell cookbook pdf. Title Windows PowerShell Cookbook: A Complete Script Guide by Microsoft Team Shell Author (s) Lee Ho</rdf:li>
   </rdf:Bag>
  </dc:subject>
  <dc:title>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>Windows powershell cookbook pdf</rdf:li>
   </rdf:Alt>
  </dc:title>
 </rdf:Description>

 <rdf:Description rdf:about=''
  xmlns:pdf='http://ns.adobe.com/pdf/1.3/'
  pdf:Producer='Pdftk'/>

 <rdf:Description rdf:about=''
  xmlns:xmp='http://ns.adobe.com/xap/1.0/'
  xmp:CreateDate='2020-04-23T17:17:42'
  xmp:CreatorTool='Pdftk'/>

 <rdf:Description rdf:about=''
  xmlns:xmpMM='http://ns.adobe.com/xap/1.0/mm/'
  xmpMM:DocumentID='6c5adfc9-32f8-4977-b093-6d9e1acd5826'
  xmpMM:InstanceID='ea03f5c5-922e-47b8-8568-b3cafe79670d'/>

 <rdf:Description rdf:about=''
  xmlns:xmpRights='http://ns.adobe.com/xap/1.0/rights/'
  xmpRights:Marked='True'/>
</rdf:RDF>
</x:xmpmeta>
<?xpacket end='w'?>
font_00_sfnt_off000062bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x62BF 5340 bytes
SHA-256: 3adcf4e687434a92b3d778c52c668a62c6579749b8e86f01898b9110941eaab8
font_01_sfnt_off000074fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x74FE 10864 bytes
SHA-256: b5529bff6f360858a9b38252b0ce34f9a4d397198c9204d7b08104d3e373171b