Malicious PDF — malware analysis report

Static analysis result for SHA-256 b377795d3c9e3abe…

MALICIOUS

PDF

39.6 KB Created: 2020-11-02 15:41:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: 3669f8da7ad9a8733b04d3c84790cd5d SHA-1: c87849f71d81a4d00f77d2ae81b69fa04ff7bbdf SHA-256: b377795d3c9e3abe605085f02e9333de6d147a72f76d57c7a2f81b3aa8f3064c
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.007 JavaScript

The PDF contains a link that directs to malicious infrastructure, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body and the SE_BROWSER_INSTALL_LURE heuristic indicate a social engineering attempt to trick the user into installing a browser extension or update. The ML_NYX_PDF_MALICIOUS classifier also strongly suggests malicious intent. No scripts were extracted, but the embedded link is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/123?keyword=download+rogue+one+free In PDF document text
    • https://cdn-cms.f-static.net/uploads/4453579/normal_5f9f6789572eb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4475a46-7206-4f3a-8cdc-64f0ff745a95/information_assurance_maturity_model_level_3.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f4fed24-a0e5-4434-84cc-d841612349e6/43499929099.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2cc73821-0d33-4622-ae58-304983fc2daa/dungeons_and_dragons_5th_edition_dungeon_masters_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e925c755-251d-4f97-9428-e05a35402699/66324902078.pdfIn PDF document text
    • https://s3.amazonaws.com/kovilowab/what_is_the_tone_of_thanatopsis.pdfIn PDF document text
    • https://s3.amazonaws.com/rokuwapesu/kitusoxodetuxofuvomevunir.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0503/1464/1605/files/33031967147.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e1f1e2df-f176-4831-bfd5-21ca9885fa77/beburowim.pdfIn PDF document text
    • https://s3.amazonaws.com/mijedusovineti/nafipofobipasorixolof.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb69ff9d-e623-4c96-a789-7ac74218a0ee/fogaki.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ce9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5CE9 4988 bytes
SHA-256: 20872ecc7b060654dac7544a432cb8ee5f2f272d721d9d21d06dc9bed474627f
font_01_sfnt_off00006e0b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6E0B 10524 bytes
SHA-256: 295522564c1083a59e9fd5e92198ebbe490987334763b61318234e4b1ffedd93