Malicious PDF — malware analysis report

Static analysis result for SHA-256 0363f065a63a8a13…

MALICIOUS

PDF

124.3 KB Created: 2020-08-03 01:46:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9e163f3f8728a8a08626232649b5ccec SHA-1: ba5138f24fa7f88db4812155ae4af5cedf633f2d SHA-256: 0363f065a63a8a13f871109bd06d21367770a0e48a31c27437f9b609ea102e56
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, with one critical heuristic identifying a link to a known malicious redirector infrastructure. The document body, though heavily obfuscated, contains a URL that matches the one flagged by the redirector heuristic. The presence of a link farm and the ML classifier's high confidence further support the malicious nature of this document, suggesting it's part of a campaign to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=physics+volume+2+halliday+resnick+krane+pdf
    • http://files.brownehillradio.com/uploads/1/3/0/9/130969129/9500774.pdf
    • http://files.memorymapformusic.org/uploads/1/3/0/8/130814711/pevunamikupipet.pdf
    • http://files.rootsandwingstraining.com/uploads/1/3/0/8/130873877/c82d9.pdf
    • http://files.endenlabs.com/uploads/1/3/0/7/130740127/nunetapurile-xexemerene.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/8381/7375/files/3858508414.pdf
    • https://cdn.shopify.com/s/files/1/0428/8941/2767/files/76108419736.pdf
    • https://cdn.shopify.com/s/files/1/0430/0655/8359/files/manevomibelexujonimafe.pdf
    • https://cdn.shopify.com/s/files/1/0434/6963/5746/files/pamuduludepenapidagetuxo.pdf
    • https://cdn.shopify.com/s/files/1/0439/4660/6760/files/how_to_reset_the_end.pdf
    • https://cdn.shopify.com/s/files/1/0429/4977/1430/files/72060167868.pdf
    • https://cdn.shopify.com/s/files/1/0429/7441/2949/files/wazebizojipejibo.pdf
    • https://cdn.shopify.com/s/files/1/0430/2353/2195/files/zovevanufuxowudezixej.pdf
    • https://cdn.shopify.com/s/files/1/0431/4192/2982/files/7983557994.pdf
    • https://cdn.shopify.com/s/files/1/0428/6359/1583/files/67692210627.pdf
    • https://cdn.shopify.com/s/files/1/0435/5253/8773/files/battlestar_galactica_the_plan.pdf
    • https://cdn.shopify.com/s/files/1/0431/3333/7768/files/mikazejepuvabevomekaxap.pdf
    • https://cdn.shopify.com/s/files/1/0433/6641/6534/files/62346462354.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000184d2.bin
88bfe12962d1b313ea4284a4a6edaeab3b15aee757a84a2046f824b2f06ccafe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x184D2 5756 bytes
font_01_sfnt_off0001984c.bin
1bc6c023cc40ec95c42d2137a65d035a05e57b6d14f6b780f9ca93dcb982fff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1984C 16812 bytes
font_02_sfnt_off0001cd57.bin
3602a159f41be5254625ea14e6a1b1894761da14cad94340ab570c55682b8007		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CD57 16228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.