Malicious PDF — malware analysis report

Static analysis result for SHA-256 088fa395fe84e92c…

MALICIOUS

PDF

57.6 KB Created: 2020-09-13 06:17:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93044172369cfc7b23e0387be5691c66 SHA-1: 9d6425eb4e358794332f8f38f17f598bee39f13d SHA-256: 088fa395fe84e92c6ed1533d44286db1647eb37c01d2e3af8f28bc1f4f805af8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, with one identified as a malicious redirector. The ML classifier strongly flagged this PDF as malicious, and the presence of a link farm suggests an attempt to distribute malicious content or phish users. No scripts were extracted, but the document body and heuristics indicate a focus on directing users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=apk+clean+master+premium
    • http://tegesisif.eswut.com/uploads/1/3/1/8/131856772/nitubolebuzo.pdf
    • http://files.gefcsports.org/uploads/1/3/0/7/130775231/5982267.pdf
    • http://files.myjourneyoffaithandhealing.com/uploads/1/3/0/9/130969811/7bfedff0c748d4c.pdf
    • http://files.itc-transporter.org/uploads/1/3/2/6/132681969/fb330bf8b80ed.pdf
    • http://nevej.nickysawesomewebsite.com/uploads/1/3/1/4/131456267/bc419687.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/7f16bd_70c25fe4d61446cbbec99c7398e659d9.pdf
    • https://static.usrfiles.com/ugd/d4c4cf_3a2f7df0437f498bac676b9738ce1a19.pdf
    • https://static.usrfiles.com/ugd/ccb1c6_f3999b1194ae46e887a0c3cdb6147994.pdf
    • https://static.usrfiles.com/ugd/c7ef1a_c43c35d264234fc8a530f57fe7305391.pdf
    • https://static.usrfiles.com/ugd/1e4819_4eeaa1e648d148cc94dfcf9f216404a2.pdf
    • https://static.usrfiles.com/ugd/8ba634_563e16a7963f4970a89c16127481ed86.pdf
    • https://static.usrfiles.com/ugd/9d7ad9_5b765bbfa1134502ad3f15558b02b6a8.pdf
    • https://static.usrfiles.com/ugd/5cd33b_5ff44114125e4fe3a57f2bb7646e8523.pdf
    • https://static.usrfiles.com/ugd/1c90dc_3550c71f752549a7940fa5705110304b.pdf
    • https://static.usrfiles.com/ugd/4c76bf_97ace1024d26439ca196946c337d5e12.pdf
    • https://static.usrfiles.com/ugd/b8c837_e02fd5b81f1b4eb8909d192f86466ecc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000081c2.bin
e211f2d6e0d1bf1fd17bd5150bc2724fb7c0f1d37b1c69b855d9dcad8de34ab0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81C2 2952 bytes
font_01_sfnt_off00008c50.bin
b11f85639ac86c8166568ea84479003a464f81c43ed7775ce68d1f2f137cfa8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C50 5132 bytes
font_02_sfnt_off00009db1.bin
b78deb1cd0211c05bb9418cc707d4fb930e87315fa29e1c98f17bf3021cbdca4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DB1 11176 bytes
font_03_sfnt_off0000c402.bin
416438fd0a6bf2b0fbbee90b75bae1eaaf4cf69236eda9052fd3a4450d1d3b12		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC402 16096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.