Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb01d25fb2ae093f…

MALICIOUS

PDF

47.4 KB Created: 2020-10-28 01:12:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-12-28
MD5: 06dc865750865755a1efb1acb08609f4 SHA-1: d2204a7e2328ff71a8fcf0c8fbee88deb0f45aa7 SHA-256: eb01d25fb2ae093f704ec0205073bec554e389de72fa9abc05ecd8b9766dcaa6
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text that appears to be a lure for downloading software, supported by the SE_DOWNLOAD_BUTTON heuristic. The ML classifier also strongly flagged this PDF as malicious. The embedded URL is the primary indicator of compromise, likely leading to a further stage of infection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/123?keyword=terrarium+tv+mod+apk+uptodown In PDF document text
    • https://cdn-cms.f-static.net/uploads/4366009/normal_5f8c2552d6753.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376870/normal_5f8eed4d83cb9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416510/normal_5f958e97cb541.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382772/normal_5f8df973dd93b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402936/normal_5f94be3b62f4d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391915/normal_5f95e3dec96f1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408482/normal_5f94f2c03d98c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376120/normal_5f9114c658a78.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410431/normal_5f976c41c044b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366406/normal_5f87511434bea.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375194/normal_5f94d935cf886.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/1f137436-fbfc-4e6a-8dca-6187293415f7/puxarelepizemadakoxokos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7be60db1-589a-4aa0-bf17-1001f06dc891/73345536257.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e115df2f-1e41-41be-8629-7afa07eecc7a/besalalivo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5e1914b3-7c91-48ae-9dd7-46534988d1b7/xazezadesujaku.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/975a6989-3fe8-4c7f-8880-72e02c499cc3/49017692466.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a3841a90-0fa1-4df0-a686-16f95c3285fc/fofagiraxigemosuxup.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2fe20f25-1ff5-4a07-828d-31ba6655dad0/88143431250.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/348be14f-5b51-4396-8aec-1a2124bdfffa/nakesagigizeribaserolino.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c89c6b7-d3c6-4810-89db-2e971871ea5b/boderaditufawo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ab61fc3-6f49-4f1c-b5b3-80535806f678/vewufiju.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5338b20e-a20f-4baf-a2f2-0728621b5a3e/bufuwonipiko.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad96ded3-ff0e-4a8a-ae7e-4dae2c6b8b30/tulekukedozo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007910.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7910 5060 bytes
SHA-256: 0c1e602d0c07c19dbdc3100d7ff50282e560b0145f10350e108e9176dfd9300b
font_01_sfnt_off00008a4a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8A4A 11272 bytes
SHA-256: 0343e157b5654b21f15773984f35a9b8ec4de0fc411b3bc28c673062f946f1bd