Malicious PDF — malware analysis report

Static analysis result for SHA-256 0206d3197256516a…

MALICIOUS

PDF

55.9 KB Created: 2020-08-12 12:58:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1ded64aae06d6cee785ec7954a4945eb SHA-1: f6480f854401e6909031aae9396dedd496443126 SHA-256: 0206d3197256516acee362d6b3560cc1d3f08432e1e4c602ed41e6b3fd54e428
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a prominent link disguised as a book title, which redirects to a known malicious URL. This indicates a phishing or malware distribution attempt, likely using the document as a lure to trick users into clicking the malicious link. The presence of numerous other PDF links further suggests an attempt to manipulate search engine results or distribute a large volume of content, potentially malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=brahmastra+book+by+ajay+gulati+pdf+free+download
    • http://files.brandshamans.com/uploads/1/3/1/3/131379223/mabewubelog-xuvevijefigaz.pdf
    • http://files.dartistessalon.com/uploads/1/3/2/6/132680974/647bcba510.pdf
    • http://jajiwoku.smalltownweather.com/uploads/1/3/1/6/131606289/efd6e832509.pdf
    • http://zenamu.danielahdz.com/uploads/1/3/0/8/130813557/1ef0ec4bc159.pdf
    • http://files.bellamayphotography.com/uploads/1/3/2/6/132695568/7805ae7ef.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0433/2843/8427/files/treatment_of_acute_hepatitis_b.pdf
    • https://cdn.shopify.com/s/files/1/0437/5229/2513/files/81140564832.pdf
    • https://cdn.shopify.com/s/files/1/0432/5628/3296/files/89198703822.pdf
    • https://cdn.shopify.com/s/files/1/0432/8872/3616/files/73172649709.pdf
    • https://cdn.shopify.com/s/files/1/0437/6972/5080/files/tdap_in_pregnancy_cdc.pdf
    • https://cdn.shopify.com/s/files/1/0434/4299/5352/files/doodle_god_2_combinations.pdf
    • https://cdn.shopify.com/s/files/1/0440/8904/9238/files/99082764625.pdf
    • https://cdn.shopify.com/s/files/1/0428/7211/1260/files/83290827208.pdf
    • https://cdn.shopify.com/s/files/1/0430/9277/0977/files/analog_multimeter_specification.pdf
    • https://cdn.shopify.com/s/files/1/0437/2316/1768/files/miramojokajumafizagowux.pdf
    • https://cdn.shopify.com/s/files/1/0431/1705/2053/files/accounting_principles_procedures_mcqs_fpsc.pdf
    • https://cdn.shopify.com/s/files/1/0431/6318/9412/files/vosijufemovozivunivaxijef.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006559.bin
4b3529a467b29c951053d9f2a5108c348cda1a91538c12cbb55a221642f489ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6559 5976 bytes
font_01_sfnt_off000079aa.bin
d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79AA 3720 bytes
font_02_sfnt_off00008505.bin
cf0d8fb5527eae19401dfc12654250517e7a38e3cc95ac791bee53c0147e1778		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8505 1972 bytes
font_03_sfnt_off00008e78.bin
54f6955859a378bc92351c7887b24c094362b50a33552ae6e6a6377299092713		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E78 10216 bytes
font_04_sfnt_off0000b197.bin
9037cfe277be4a89233172b44c2ba75e37ea8ea8184f1a8e6cd700990c5a5311		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB197 9888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.