Malicious PDF — malware analysis report

Static analysis result for SHA-256 053e7d609dde79f2…

MALICIOUS

PDF

39.5 KB Created: 2020-08-14 05:44:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b07f997f7259ce960b0d652a66168332 SHA-1: 6d53a222ca4808653ce217bd2ba41abbbae88c1e SHA-256: 053e7d609dde79f253d7ee46364ca68ba082fb1b4b448abda1eed36c2b08e58b
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one specifically pointing to known malicious redirector infrastructure at 'https://ttraff.cc/pify?keyword=caresource+ky+appeal+form'. The heuristic firings indicate this PDF is a malicious redirector and part of a link farm, likely designed to lead users to malicious content or phishing sites. The document body's mention of an 'appeal form' and urgency reinforces the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=caresource+ky+appeal+form
    • http://files.the-westwood-wire.info/uploads/1/3/0/7/130739996/710574.pdf
    • http://dadatip.precisionpaintrepairllc.com/uploads/1/3/0/8/130814238/mafufelasi-guxel-jobabasiwosu-suzamux.pdf
    • http://wiloto.perrykomdat.com/uploads/1/3/0/9/130969440/rasogalubinamoz.pdf
    • http://files.billmitchellcreative.com/uploads/1/3/1/4/131482988/xisixalebukuk.pdf
    • http://files.sueannecelebrant.com/uploads/1/3/1/4/131437351/26ff42c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/1434/9215/files/bonhoeffer_s_black_jesus.pdf
    • https://cdn.shopify.com/s/files/1/0429/7257/7946/files/12593261719.pdf
    • https://cdn.shopify.com/s/files/1/0438/2726/5693/files/sofunaxib.pdf
    • https://cdn.shopify.com/s/files/1/0429/2011/6387/files/weedeater_lawnmower_manual.pdf
    • https://cdn.shopify.com/s/files/1/0432/9757/0980/files/pigezekelogidomaseguzaw.pdf
    • https://cdn.shopify.com/s/files/1/0431/8245/6981/files/kangaroo_paw_fact_sheet.pdf
    • https://cdn.shopify.com/s/files/1/0438/8998/3640/files/63998749990.pdf
    • https://cdn.shopify.com/s/files/1/0429/0491/2031/files/25512674112.pdf
    • https://cdn.shopify.com/s/files/1/0437/7562/3320/files/photogrammetry_nptel.pdf
    • https://cdn.shopify.com/s/files/1/0433/8309/5452/files/benedetto_croce_biografia.pdf
    • https://cdn.shopify.com/s/files/1/0445/6910/0452/files/descargar_libro_caballo_de_troya_6_gratis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e74.bin
12cb4937442ba249c14c0830eabd2c4877d549ddd9108d0a1e6cc72f63487431		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E74 5232 bytes
font_01_sfnt_off0000703e.bin
6a310b985f616e957412de87de7b7b0febfefba19e35272568f16eed4fbf640a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x703E 9712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.