Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8703dc51e054f34…

MALICIOUS

PDF

39.8 KB Created: 2020-08-08 00:00:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: db4c81d548215c775a253fe781fffb72 SHA-1: 1e343c01b6fe641fc0b0d824d6ab46dca2b98d9a SHA-256: d8703dc51e054f3416c27d431f314eedb27a6cf61d4d84023dfc2aefe0d4c487
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to a redirector infrastructure identified as malicious. The document body, though partially obfuscated, contains text related to 'primary auxiliary verbs' and a URL that appears to be the primary lure. The ML classifier strongly indicated maliciousness, and the presence of a malicious redirector URL supports the conclusion that this PDF is designed to lead users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=use+of+primary+auxiliary+verbs+pdf
    • http://files.dvanminsel.com/uploads/1/3/0/9/130969580/joruno.pdf
    • http://files.bikewashtenaw.org/uploads/1/3/1/0/131070207/togusidusokuj.pdf
    • http://files.rchatierrasanta.com/uploads/1/3/1/3/131383892/vuzasolosuj.pdf
    • http://files.designsbykneeknee.com/uploads/1/3/0/7/130776046/jesopevol.pdf
    • http://tedaj.abiblo.com/uploads/1/3/0/7/130775734/pugiv-puwewidu-kewirenasas-sujewekowa.pdf
    • https://cdn.shopify.com/s/files/1/0429/1490/6275/files/17374724900.pdf
    • https://cdn.shopify.com/s/files/1/0433/7667/2918/files/zuvimepuxirijuxifenosomaw.pdf
    • https://cdn.shopify.com/s/files/1/0433/5622/5686/files/xibagadab.pdf
    • https://cdn.shopify.com/s/files/1/0434/4394/5622/files/94402772929.pdf
    • https://cdn.shopify.com/s/files/1/0430/0311/7719/files/disney_animal_kingdom_map.pdf
    • https://cdn.shopify.com/s/files/1/0435/3848/1320/files/adjectives_and_adverbs_easy_exercises.pdf
    • https://cdn.shopify.com/s/files/1/0429/3374/7878/files/24584678526.pdf
    • https://cdn.shopify.com/s/files/1/0436/7355/1001/files/how_to_make_stone_fence_in_minecraft.pdf
    • https://cdn.shopify.com/s/files/1/0434/2821/6983/files/viwexixizig.pdf
    • https://cdn.shopify.com/s/files/1/0437/8660/0609/files/clinical_anatomy_of_the_brachial_plexus.pdf
    • https://cdn.shopify.com/s/files/1/0430/5335/1066/files/75953760279.pdf
    • https://cdn.shopify.com/s/files/1/0431/4172/6370/files/piredugok.pdf
    • https://cdn.shopify.com/s/files/1/0431/3127/3365/files/zipigatabuju.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005df7.bin
e9906a2ac4b2a3d98afd9d751c1ca22c817c17eaeefc673919ac5aef2512481a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DF7 5548 bytes
font_01_sfnt_off000070c8.bin
839bbbec3cc722cbeee61fcd6309e9b309918f1012c2e85f90a80659ef5f9dd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70C8 9828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.