Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae9f17f033885a10…

MALICIOUS

PDF

60.7 KB Created: 2020-10-14 19:35:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: 8b53c56d765c35e80760ca5b031e856e SHA-1: 18274b11ca3e733b0160b1759070c66805c641e3 SHA-256: ae9f17f033885a10946c59dc8481f4b9ee44a5c3a5200da6bc068369803dd587
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm designed to redirect users to malicious websites, as indicated by the 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' heuristics. The document body, though heavily obfuscated, contains a URL that appears to be a lure for analytical reasoning questions. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern involves luring users to potentially harmful external content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/pify?keyword=tips+to+solve+analytical+reasoning+questions+pdf In PDF document text
    • https://povutepumik.weebly.com/uploads/1/3/2/7/132741486/wigunopel.pdfIn PDF document text
    • https://rewemekekebaz.weebly.com/uploads/1/3/1/4/131406535/474185.pdfIn PDF document text
    • https://jeponiruwapin.weebly.com/uploads/1/3/0/7/130776483/bubifapakorubera.pdfIn PDF document text
    • https://gimejexoxixaza.weebly.com/uploads/1/3/1/8/131872185/nesubine.pdfIn PDF document text
    • https://guwomenod.weebly.com/uploads/1/3/0/8/130873843/ligewajinaxi.pdfIn PDF document text
    • https://nudojafobedem.weebly.com/uploads/1/3/1/3/131379550/mowivuvabajanow_vusup.pdfIn PDF document text
    • https://kidunaxu.weebly.com/uploads/1/3/1/4/131437100/lefexoserizemojogi.pdfIn PDF document text
    • https://wepugimi.weebly.com/uploads/1/3/1/0/131070973/6276840.pdfIn PDF document text
    • https://jatorogerujew.weebly.com/uploads/1/3/2/7/132710569/rebodi.pdfIn PDF document text
    • https://tavumake.weebly.com/uploads/1/3/2/7/132740551/peparaximezur.pdfIn PDF document text
    • https://keniwuki.weebly.com/uploads/1/3/1/4/131483234/32e063a95e.pdfIn PDF document text
    • https://povutepumik.weebly.com/uploads/1/3/2/7/132741486/5058122.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/5587/3190/files/98015241148.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/8547/1656/files/83339546272.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/9670/5691/files/angle_of_attack_indicator_garmin.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0493/5673/4620/files/jigowopulopexixedexemewu.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0268/8198/2645/files/limowenisujovizoda.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/1514/6136/files/bumunufesili.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f78c0f84-fccd-4326-968e-0b5f70110e30/47331123518.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4047514-9c16-4a01-8427-65700b1deab5/bewanerodekogagekiferera.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b12d4c4a-ec9e-4f17-a870-48add645dbc0/gamimanokufasozexovutumo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000acfa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xACFA 5560 bytes
SHA-256: df03a89ad65ff2eaf7917df630295c8002c7be13fd6387247bf692577c1df76e
font_01_sfnt_off0000bfeb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBFEB 10304 bytes
SHA-256: ffde3532c0a2afc01a295a5e098ae030ccf752dc99117ff00b66f7c12a6170a1