Malicious PDF — malware analysis report

Static analysis result for SHA-256 0044dc25a3112c56…

MALICIOUS

PDF

34.1 KB Created: 2020-08-31 06:55:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c4896bfa15b771a8e8c64528d7f44462 SHA-1: 34b3ccbf5932cf6d9c399ceaed04a7a6cd94cded SHA-256: 0044dc25a3112c569ee876c994d8a7b484d7bd420f37b9890230420c812a6d2f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains text related to a 'free download' and the malicious URL, suggesting a phishing or scam attempt. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=sanjay+sharma+communication+systems+pdf+free+download
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/5ecadc_249ab3da3dee48878b44c2585ddd9aa6.pdf
    • https://static.usrfiles.com/ugd/b8c837_196c2bca36d245068e84c488f6c85757.pdf
    • https://static.usrfiles.com/ugd/e3ff21_8afac34ad8874e69bbeff2b327a71ac0.pdf
    • https://static.usrfiles.com/ugd/fedf23_139f9e6243024385a101ed27c428b347.pdf
    • https://static.usrfiles.com/ugd/52b593_e59dea845b3e47a8ace801b4576de77b.pdf
    • https://static.usrfiles.com/ugd/0511f5_2e9069cb98bc43e4a79eea0f3b3aee0d.pdf
    • https://cdn.shopify.com/s/files/1/0431/6761/3082/files/capteur_de_pression_d_huile_moteur.pdf
    • https://cdn.shopify.com/s/files/1/0439/8671/4782/files/black_and_decker_weed_wacker.pdf
    • https://static.usrfiles.com/ugd/33c377_fd7f62efcb1948d2aa75a2de2100e13f.pdf
    • https://static.usrfiles.com/ugd/9757e7_9674e90901dc478289295191653d5b79.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004556.bin
f37b79e80cff54424b5e4eb503fa91161f20fc09320250e6be1a0d9a31835604		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4556 5768 bytes
font_01_sfnt_off000058dd.bin
cbd781082769e9b3b62fc0230e7661a30f6b520ecd2c11a3197b4a55f88b2390		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58DD 10152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.