Malicious PDF — malware analysis report

Static analysis result for SHA-256 01b1373555ce19d5…

MALICIOUS

PDF

48.8 KB Created: 2020-08-30 09:53:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c4ce6b2be04c7e6a6b22e0f306fbba6 SHA-1: 2c26f7cce27ff7ac4ecf038043caa2c0d6cdf7d1 SHA-256: 01b1373555ce19d5ca647ff3365747219f61181c8ad23d2076ca741be9ab8607
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a malicious redirector link that points to a URL designed to deliver a payload. The document body, though heavily obfuscated, contains the same malicious URL, suggesting an attempt to trick the user into clicking it. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=a+record+is+also+called+a+____
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/5b604d_31a329d30be04ed6b5a1403a7c709c3a.pdf
    • https://static.usrfiles.com/ugd/8ab72e_6406f7383e5846f7a7299c59231d2222.pdf
    • https://static.usrfiles.com/ugd/49be48_b8bd25c319404ae9870e38b0057c3f57.pdf
    • https://static.usrfiles.com/ugd/b8c837_f3b86c16dfe740c0a94601885d5d65a7.pdf
    • https://static.usrfiles.com/ugd/2f3ac6_db06d62721de40e3864387c9200f2be6.pdf
    • https://static.usrfiles.com/ugd/7e0eb0_79acaf769ff1469ea7fb01c4ea4bfe2f.pdf
    • https://static.usrfiles.com/ugd/4826f5_adaf2195de9f4613a160a4d4bb0065a7.pdf
    • https://cdn.shopify.com/s/files/1/0429/6887/5157/files/55704381449.pdf
    • https://cdn.shopify.com/s/files/1/0428/7230/7875/files/34159627516.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000081c9.bin
e33340be78b45c036dda549f7983c2713d6600ca2957e7057cee5eb981288e84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81C9 4984 bytes
font_01_sfnt_off000092c8.bin
6c6b6fc499ca0efb2dea7361830f50f2324ed38a1622677800d7d2896d4cf088		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92C8 10684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.