Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef28ea4dd338e195…

MALICIOUS

PDF

49.0 KB Created: 2020-07-29 20:48:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc3625fc2921b11fe55825aedd39e7aa SHA-1: cac2f87b805360b8364d9b6f4773b87aa6858972 SHA-256: ef28ea4dd338e195aee29b738d535d7b4acf71d6dcb8ec8da54ec307b8b02fa7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains numerous embedded links, a technique often used to redirect users to malicious websites. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK specifically identifies a link pointing to a known malicious redirector. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, appears to be a lure related to 'Budget 2020 19 speech pdf', aiming to trick users into clicking the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=budget+2020+19+speech+pdf
    • http://files.hethermilane.com/uploads/1/3/0/7/130776001/xezarudidokadopuvo.pdf
    • http://files.lovehealthyme.com/uploads/1/3/1/4/131407655/5d3d07cffb109d.pdf
    • http://files.kiwiinsurancesolutions.com/uploads/1/3/1/6/131606819/6079350.pdf
    • https://cdn.shopify.com/s/files/1/0440/8747/6389/files/56549672689.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/polonafebomi.pdf
    • https://cdn.shopify.com/s/files/1/0437/8047/2984/files/jetudaxabexefosez.pdf
    • https://cdn.shopify.com/s/files/1/0432/9275/4080/files/66446849118.pdf
    • https://cdn.shopify.com/s/files/1/0431/9212/3560/files/13958033424.pdf
    • https://cdn.shopify.com/s/files/1/0429/8578/3455/files/ponipogikapobilok.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/1741554469.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/48465164240.pdf
    • https://cdn.shopify.com/s/files/1/0432/0064/3236/files/91363538981.pdf
    • https://cdn.shopify.com/s/files/1/0433/8165/3655/files/16055744461.pdf
    • https://cdn.shopify.com/s/files/1/0429/1425/0905/files/55978516775.pdf
    • https://cdn.shopify.com/s/files/1/0434/3237/8517/files/nowejubowekewuvus.pdf
    • https://cdn.shopify.com/s/files/1/0432/7456/7843/files/pexadominodudiwememal.pdf
    • https://cdn.shopify.com/s/files/1/0431/6702/3253/files/90795560437.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008210.bin
4011fd5ef9cb3b46022a82d2d8b6e79b974c4098a12b09dda2ec13465c07d0a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8210 5228 bytes
font_01_sfnt_off000093fb.bin
d3bf780769cf4d0a4bd02e936a0de2541d8772bd23e6ce68f088426de486d146		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93FB 10304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.