Malicious PDF — malware analysis report

Static analysis result for SHA-256 f182e3e4d6c7a7bd…

MALICIOUS

PDF

43.5 KB Created: 2020-10-24 05:42:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: 43455b9b70549182c895e38faccf7e3d SHA-1: 9d0cee1aa92362059d68f4fd19fa11174e4e8805 SHA-256: f182e3e4d6c7a7bdbdeaefab3f4683051870d9a9c3f75f5b0d116b9a98e5068d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure for installation manuals, and the ML classifier strongly indicates maliciousness. The presence of embedded URLs and the PDF_MALICIOUS_REDIRECTOR_LINK heuristic suggest the primary goal is to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/wb?keyword=buderus%20g215%20installation%20manual In PDF document text
    • https://cdn-cms.f-static.net/uploads/4379605/normal_5f8c38a05cb8d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384149/normal_5f93528b601c9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387573/normal_5f9195f3a2e64.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4390681/normal_5f9111491bf25.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377928/normal_5f92c2f0f0229.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367927/normal_5f8b355d05287.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368770/normal_5f87e62d3d85d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368972/normal_5f89af5153172.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385424/normal_5f902eaf74e71.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385197/normal_5f91751dd96f3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369160/normal_5f8fe13e340b3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365567/normal_5f8f743e6980a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367687/normal_5f91f2fa0d56f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/senodiw/occupational_health_and_safety_act_and_regulations_south_africa.pdfIn PDF document text
    • https://s3.amazonaws.com/neviwove/buku_agama_islam_kelas_10_smk_penerbit_erlangga.pdfIn PDF document text
    • https://s3.amazonaws.com/suzixegazunow/wuvutoralezifumixufobetuj.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/3629/0467/files/unblocked_games_cookie_clicker.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0493/3628/7391/files/love_nikki_stylist_arena_guide.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/8950/2110/files/tcl_32d100_32-inch_720p_led_tv_manual.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/6898/3969/files/16476363682.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/6361/8965/files/nuvutumujewojodanaxejipu.pdfIn PDF document text
    • https://s3.amazonaws.com/ganubatebedoxez/abirami_anthathi_download.pdfIn PDF document text
    • https://s3.amazonaws.com/voxulija/29042128748.pdfIn PDF document text
    • https://s3.amazonaws.com/mozirolinitaje/gesusigoxaziwesuwaxigo.pdfIn PDF document text
    • https://s3.amazonaws.com/fasanag/application_software.pdfIn PDF document text
    • https://s3.amazonaws.com/jepinebawo/muslim_baby_names_with_meaning_in_tamil.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a2e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A2E 5504 bytes
SHA-256: 55d6744055d8818270833b31a4694362908385acb7a107e2307afbeb8cb8b3e4
font_01_sfnt_off00007cd8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7CD8 10512 bytes
SHA-256: e9090d1f9ee9db387f89405cf4ac791df33914a2d835f01c981fd52475e212c6