Malicious PDF — malware analysis report

Static analysis result for SHA-256 c796b65ce6bb975a…

MALICIOUS

PDF

57.2 KB Created: 2020-10-22 18:05:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 1a8827570f3aa0caefc24f6b77e99f72 SHA-1: 675ac2e6e48188482ccd8529080d48609237a70c SHA-256: c796b65ce6bb975aa31a43e14f875091dba8496063a5346633af9816213a06d6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to Excel VBA and a URL that appears to be part of a link farm designed to attract search engine traffic. This suggests an attempt to direct users to malicious infrastructure under the guise of providing technical information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/wb?keyword=change%20the%20active%20worksheet%20in%20excel%20vba In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/1871/7864/files/41945068162.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0480/7933/9672/files/tolleys_yellow_tax_handbook_student_discount.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0434/0813/0213/files/wigirov.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/7761/5270/files/apk_for_pc_games.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/1465/1559/files/87309108403.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0490/0778/8199/files/reading_problems_and_solutions.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/3739/1558/files/gestion_du_stock.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/8104/9274/files/fizilogamom.pdfIn PDF document text
    • https://s3.amazonaws.com/xanebavifamopez/wing_chun_fighting_techniques.pdfIn PDF document text
    • https://s3.amazonaws.com/zetare/wikodizopolilisa.pdfIn PDF document text
    • https://s3.amazonaws.com/mibiwivanetuj/les_neurones_cours.pdfIn PDF document text
    • https://s3.amazonaws.com/mijedusovineti/49316213648.pdfIn PDF document text
    • https://s3.amazonaws.com/wuniku/91335160339.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d9c963a1-0044-427d-b483-c64648b08ed6/bodeted.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fbf7a2f1-f477-4d33-84d7-0a3b2fbf01a5/15782372921.pdfIn PDF document text
    • https://s3.amazonaws.com/kavitokolezub/autocad_2007_2d_basic_tutorial.pdfIn PDF document text
    • https://s3.amazonaws.com/fasanag/properties_of_benzoic_acid.pdfIn PDF document text
    • https://s3.amazonaws.com/mijedusovineti/jeboragagitibonorunez.pdfIn PDF document text
    • https://s3.amazonaws.com/mibiwivanetuj/bakamelu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c3a272b-f308-4fda-b30b-b7c82de8c40b/54566317531.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e285a32-108e-43d1-abd2-1749c498ad32/taxivivujujan.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/73f4a378-0707-40ed-a2dd-9a63ccb9edf1/ciencias_auxiliares_de_la_criminalistica.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/76e6fce2-c030-47f0-9ee7-65f924ee464d/19865733512.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000ac63.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAC63 24436 bytes
SHA-256: 66409e3fb1f29bf3804cde36be342ece6d4ed2116fa90505ad9df256f1594064
font_00_sfnt_off00006ca4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6CA4 5388 bytes
SHA-256: c47cfef054b2e1541720184555290f3c21e0879fe3b8bfbcf415c6675db3c481
font_01_sfnt_off00007eff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7EFF 2076 bytes
SHA-256: e6b41424cbfbab56785d1d111fff896518f16f9ecc2d4d57a6cdabbdaf1573d2
font_02_sfnt_off0000880d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x880D 10764 bytes
SHA-256: 0fc2a525f01bba672fdf0c549a4de1788d0fd8ea5a45377256c4f272be25fea9