Malicious PDF — malware analysis report

Static analysis result for SHA-256 b70204ee97caaedf…

MALICIOUS

PDF

81.5 KB Created: 2020-11-24 07:22:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 69c399d28a3febf66c1e5eca90695a51 SHA-1: 2a12b4c16f8d0e385302075a9070df75951e9ec1 SHA-256: b70204ee97caaedff857bf98eb15c39329a72b06a355e1fd272faea2e806f2f1
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains heuristics indicating it is a malicious document, specifically a lure for free downloads. The document body presents itself as a 'Disney itinerary template excel' to entice the user. It contains a high-risk redirector URL that likely leads to the download of a secondary malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cdn-cms.f-static.net/uploads/4370076/normal_5f8a41d3bfd18.pdf In PDF document text
    • https://trafffe.ru/aws?utm_term=disney+itinerary+template+excelPDF link annotation
    • http://www.ascendercorp.com/In extracted file (font_00_sfnt_off0000f4cd.bin)
    • http://www.ascendercorp.com/typedesigners.htmlIn extracted file (font_00_sfnt_off0000f4cd.bin)
    • http://www.daltonmaag.com/In extracted file (font_02_sfnt_off00012ab0.bin)
    • https://uploads.strikinglycdn.com/files/66c37bbb-9418-43d7-ac4e-5d245f48c309/fallout_4_survival_mode_leveling_gui.pdfIn PDF document text
    • https://s3.amazonaws.com/paropabaru/the_book_of_secrets_osho.pdfIn PDF document text
    • https://s3.amazonaws.com/novifamigot/grade_4_module_6_answer_key.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/773cad52-05d2-4db2-97f3-ef4297cb7975/xugar.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4024d30e-3e43-492e-9b30-0ca4f284f18f/xatekirak.pdfIn PDF document text
    • https://s3.amazonaws.com/gozilum/pakam.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f81adee-55ea-4832-9c81-7ccef3bdca6b/99856419275.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/56a18471-9880-423e-b234-d728dfc800ff/kugajadaxeguxulavopisal.pdfIn PDF document text
    • https://s3.amazonaws.com/dorobukasawituw/99367153059.pdfIn PDF document text
    • https://s3.amazonaws.com/tenunud/73675776910.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7f43e273-e573-4ef4-8f6f-ef2401b7ab88/joey_badass_b4da.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81c4c93a-be9b-4212-bbe1-d9d6253cb30b/87253741714.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aba2f2ce-cd07-4949-96b5-1cb6e2df18f1/badafaxamafir.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn extracted file (font_00_sfnt_off0000f4cd.bin)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF4CD 4928 bytes
SHA-256: d8988e5ad699d4a3e4955f8ae6e3181aef10d93d58f6f2d4a534eda9bac0f83a
font_01_sfnt_off0001056f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1056F 10948 bytes
SHA-256: d94b7723cc05299d1d1482c236aa3832734afb9e9d37551df1183b439ee854bf
font_02_sfnt_off00012ab0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12AB0 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333