Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0d8b0f5c8a9a788…

MALICIOUS

PDF

53.8 KB Created: 2020-08-06 18:33:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10e74fd620b8646013bc16d475c05ed1 SHA-1: b1b342e33e1a66f40994e3425bb262a8ee48a65d SHA-256: d0d8b0f5c8a9a788f8a1e7cad51074cd6a7eb2e0593aa2b3eff4a033e278d91c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF document contains a large number of external links, many of which point to a link farm. One of the primary links redirects to a malicious URL, indicating an attempt to lure users to harmful content. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the PDF structure and embedded URLs are sufficient to infer a malicious redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=deficiencia+de+vitamina+b5+pdf
    • http://files.cleamachold.com/uploads/1/3/2/6/132682134/notalosadu_duteso.pdf
    • http://files.queersfordinner.com/uploads/1/3/1/4/131437919/vojererapibif_judexunumafun.pdf
    • http://files.meadowlakefreshair.com/uploads/1/3/1/4/131437313/2574788.pdf
    • http://sutezomas.balticsportsciencesociety.com/uploads/1/3/1/6/131606094/ac6bd8040.pdf
    • https://cdn.shopify.com/s/files/1/0435/3651/5224/files/parental_attitude_scale.pdf
    • https://cdn.shopify.com/s/files/1/0432/6513/0660/files/17561914854.pdf
    • https://cdn.shopify.com/s/files/1/0437/0785/9096/files/plus_or_minus_alt_code.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/34007074416.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/38659434623.pdf
    • https://cdn.shopify.com/s/files/1/0440/9350/5688/files/pupujajajal.pdf
    • https://cdn.shopify.com/s/files/1/0430/6105/1546/files/busopar.pdf
    • https://cdn.shopify.com/s/files/1/0433/4324/9563/files/51507443969.pdf
    • https://cdn.shopify.com/s/files/1/0435/0102/7493/files/mokovejigavagola.pdf
    • https://cdn.shopify.com/s/files/1/0434/7520/6294/files/dazepoduvibixixumalu.pdf
    • https://cdn.shopify.com/s/files/1/0429/4017/0406/files/dosumuzisebojazeju.pdf
    • https://cdn.shopify.com/s/files/1/0431/4651/0504/files/moduzibupazokemekowi.pdf
    • https://cdn.shopify.com/s/files/1/0433/5599/6328/files/51192379395.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/1261535930.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000865e.bin
7784e21075b8cbc3b82c0db09eb411e8d5814039f55951a6b511d191b9c29ffa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x865E 4996 bytes
font_01_sfnt_off00009751.bin
19519d231161e3e5b40ad0040775b539d844dd36f9e6ac2202e0a1a52562cf58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9751 11208 bytes
font_02_sfnt_off0000bbd9.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBD9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.