Malicious PDF — malware analysis report

Static analysis result for SHA-256 c59901c5203a4ad6…

MALICIOUS

PDF

152.6 KB Created: 2020-10-30 21:57:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: f34b535392396b2355a1e98758cc56e7 SHA-1: 875489c3948ff90eb90b6c22e1878f7561a62841 SHA-256: c59901c5203a4ad673f2f0b07af32cec1a38b86623694324ae8c79e78665e08c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link to a known malicious redirector, indicating an attempt to lead the user to a harmful site. The document body, though heavily obfuscated, contains text that appears to be a 'Bolc packing list' and the malicious URL itself, suggesting a phishing or redirection lure. No scripts were extracted, but the presence of a malicious URL is a high-confidence indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9928

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?keyword=bolc+packing+list In PDF document text
    • https://mokitigek.weebly.com/uploads/1/3/1/6/131606839/musux.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366978/normal_5f8b2f9ac4071.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402032/normal_5f92457278047.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/vaxebisapesi/famous_chocolate_wafers_recipes.pdfIn PDF document text
    • https://s3.amazonaws.com/zarelusipofox/wupimelazujoxexoxipi.pdfIn PDF document text
    • https://s3.amazonaws.com/serogajugomiji/bubonic_plague_history.pdfIn PDF document text
    • https://s3.amazonaws.com/dotivaf/companion_planting_vegetables_chart.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0503/1464/1605/files/florida_partial_release_of_lien_form.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/5462/0059/files/44835641611.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/1436/4059/files/word_whizzle_answers_fast_food_items.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/4374/1083/files/99912048232.pdfIn PDF document text
    • https://s3.amazonaws.com/sugaguxagu/buet_admission_result_2017-_18.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off00023d81.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23D81 20733 bytes
SHA-256: 27a26acd6f6c3e82bd4b1d2422279ff5bbc7437cc008822f7d71e970c7eba696
font_00_sfnt_off0001f903.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F903 3120 bytes
SHA-256: b1808a2d7445fd3fa110f6fa10012c850680e97427c6103e19c2def83c2b8d47
font_01_sfnt_off0002043d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2043D 5116 bytes
SHA-256: fceb825393f918ac019b927314ecfb2b4d9918e53d7b363b1e1fdb6ff9d71036
font_02_sfnt_off000215c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x215C7 12076 bytes
SHA-256: 342efab26384cda64c579934ab0eaa6d2941d4f1eff5e43bae167b49addf88a0