Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb4658ac03b1d5bb…

MALICIOUS

PDF

67.9 KB Created: 2020-08-15 03:25:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 25f73f5e52b99f4a3c80fb8ae0428c30 SHA-1: ea02058a19554495fc39cca314aea55c29a7c8fd SHA-256: cb4658ac03b1d5bbfd16e557a1d53c5331e7be738f13f8967e0647f1fdaaf5b7
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file exhibits malicious behavior through a critical heuristic firing indicating a redirector link to known malicious infrastructure. Additionally, it contains a large number of external PDF links, suggesting a link farm for SEO manipulation or to distribute further malicious content. The ML classifier strongly supports the malicious verdict. The primary IOC is the redirector URL, which is likely used to funnel victims to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=process+of+biotransformation+of+xenobiotics
    • http://files.mhcs.me/uploads/1/3/1/3/131380299/fumus-zawixita.pdf
    • http://files.broadbandbytes.com/uploads/1/3/2/6/132681062/gubol.pdf
    • http://files.warlockwardrobe.com/uploads/1/3/0/7/130738876/bupevaribajaxo_tawizufuzo_nevirop_tilasudivawuvem.pdf
    • http://files.yourmagicaldestinations.com/uploads/1/3/0/7/130776757/848c65c53e.pdf
    • https://cdn.shopify.com/s/files/1/0431/6564/7002/files/jamadavorobadivof.pdf
    • https://cdn.shopify.com/s/files/1/0432/5045/0600/files/10th_maths_guide_tamil_medium_download.pdf
    • https://cdn.shopify.com/s/files/1/0431/2609/6036/files/lewolozemofabozikor.pdf
    • https://cdn.shopify.com/s/files/1/0431/5702/9019/files/moral_hazard_and_adverse_selection.pdf
    • https://cdn.shopify.com/s/files/1/0435/5280/0920/files/wolejurimabazutixo.pdf
    • https://cdn.shopify.com/s/files/1/0430/6678/5949/files/22165311604.pdf
    • https://cdn.shopify.com/s/files/1/0432/2865/9870/files/nusavivazadifumup.pdf
    • https://cdn.shopify.com/s/files/1/0432/0477/1999/files/37461953276.pdf
    • https://cdn.shopify.com/s/files/1/0428/9649/0663/files/51168307338.pdf
    • https://cdn.shopify.com/s/files/1/0435/9146/7176/files/manipurutodetojaxot.pdf
    • https://cdn.shopify.com/s/files/1/0430/9821/0461/files/16365436915.pdf
    • https://cdn.shopify.com/s/files/1/0427/9664/6556/files/85281900306.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ccc8.bin
ae796f940481f010aad9ae5def749b5eb833384d0d1b6fbc3c842bf68bd18f60		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCCC8 5204 bytes
font_01_sfnt_off0000de5d.bin
eb49cbb62e24cdb6d27757411cdea997dadbdff83d630ded3a6bd89ddca2d2c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE5D 10460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.