Malicious PDF — malware analysis report

Static analysis result for SHA-256 0665e5acde1c1458…

MALICIOUS

PDF

66.8 KB Created: 2020-08-05 11:49:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 597b0fe40585b3a63ef5e2ff92cee989 SHA-1: 1756913f2f7f2b45a9d402a90d800efb486f757f SHA-256: 0665e5acde1c14581dd3900b0d7b8cb04f84b7660c31d204592a9f15c8f7bbf4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, with one specifically pointing to a known malicious redirector. The document body, though partially corrupted, includes the URL 'https://ttraff.com/pify?keyword=ceylon+history+pdf', suggesting a lure for SEO spam or phishing. The presence of numerous other PDF links, many hosted on Shopify, indicates a link farm strategy. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=ceylon+history+pdf
    • http://files.theprlady.com/uploads/1/3/1/0/131070861/14027.pdf
    • http://files.glowwellnesscollective.org/uploads/1/3/1/6/131607712/cd10e63aa12d.pdf
    • http://files.shift-counselling.com/uploads/1/3/1/4/131437319/tulojume_parivivera_domun.pdf
    • http://files.madeintheusasportsfestival.com/uploads/1/3/0/7/130775903/gezedavemudalib.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0428/7909/0855/files/29038042311.pdf
    • https://cdn.shopify.com/s/files/1/0435/1698/5503/files/jeremih_planes_download.pdf
    • https://cdn.shopify.com/s/files/1/0438/4410/8445/files/bolupirovubewepaxe.pdf
    • https://cdn.shopify.com/s/files/1/0436/4910/6073/files/33693899426.pdf
    • https://cdn.shopify.com/s/files/1/0431/3976/0295/files/reggae_version_of_hello.pdf
    • https://cdn.shopify.com/s/files/1/0431/5149/1233/files/48504920181.pdf
    • https://cdn.shopify.com/s/files/1/0434/1451/9966/files/nidokezogonuwijofe.pdf
    • https://cdn.shopify.com/s/files/1/0429/9200/9365/files/mitosis_and_meiosis_assignment.pdf
    • https://cdn.shopify.com/s/files/1/0437/1061/1607/files/diablo_3.pdf
    • https://cdn.shopify.com/s/files/1/0431/1410/2941/files/49880464762.pdf
    • https://cdn.shopify.com/s/files/1/0432/8266/1526/files/vevotofepurulotemosefo.pdf
    • https://cdn.shopify.com/s/files/1/0430/8251/4581/files/hindu_calendar_2020_south_africa.pdf
    • https://cdn.shopify.com/s/files/1/0429/3722/1276/files/ccpc_act.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079d4.bin
fd6f6a534d83cfa40b01a240f34bf2990eaa501ad8094c0dc6887c9ac7a81c16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79D4 4832 bytes
font_01_sfnt_off00008a3a.bin
9fb418fa606a1358cb733dd5c7e178587fef6c8dd9abc6a4e4d291afd33471d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A3A 4728 bytes
font_02_sfnt_off00009a75.bin
4cca0590b4e98e1c3801cebaff440c4b790b497c1cd8f393d4454ec4a061ac11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A75 12592 bytes
font_03_sfnt_off0000beb2.bin
5795cbe802590453e99a354f0c1b1d4ee7c48ebf0705db2e8e68692ed0fa8e48		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBEB2 15200 bytes
font_04_sfnt_off0000ed78.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED78 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.