Malicious PDF — malware analysis report

Static analysis result for SHA-256 0aa8289736fb8c97…

MALICIOUS

PDF

80.7 KB Created: 2020-08-29 22:47:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1cfef31a02c6e0485363666a5977ea21 SHA-1: 3600c7829a861e225ed6b46fd919238eefcf46f6 SHA-256: 0aa8289736fb8c973a3badb6b55dfc19b82229a6f94582be6e5654eb862023a9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by multiple critical heuristics as malicious, specifically for containing a link to a known malicious redirector. The document body, though heavily obfuscated, contains the same redirector URL. The presence of a link farm suggests an attempt to distribute malicious content or phishing lures.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=%25D9%2583%25D9%258A%25D9%2581%25D9%258A%25D8%25A9+%25D8%25A5%25D8%25AF%25D8%25AE%25D8%25A7%25D9%2584+%25D8%25A7%25D9%2584%25D9%2582%25D8%25B6%25D9%258A%25D8%25A8+%25D9%2581%25D9%258A+%25D8%25A7%25D9%2584%25D9%2585%25D8%25A4%25D8%25AE%25D8%25B1%25D8%25A9
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/b8c837_31eafa4a4833453b89353e055376cbda.pdf
    • https://static.usrfiles.com/ugd/735189_1632619e472b4ee69dcd8e5b8f5facaa.pdf
    • https://static.usrfiles.com/ugd/b8c837_95b63f57fc54495db8ce1454c6586e8f.pdf
    • https://static.usrfiles.com/ugd/b8c837_e726369eb1b34010a4a932b77ae571a2.pdf
    • https://static.usrfiles.com/ugd/b8c837_666dccc875de4a9b890f7e5c2c0f4a59.pdf
    • https://static.usrfiles.com/ugd/b8c837_0e07668e1ce740638d2bf153e34a7753.pdf
    • https://static.usrfiles.com/ugd/eaf48f_14a20ba1d04d4a06af16bd4fa2bd41c1.pdf
    • https://static.usrfiles.com/ugd/b8c837_76409856b9294693a9f06cf6e0a0edd5.pdf
    • https://static.usrfiles.com/ugd/b8c837_dbdd8039c4d94a20a1dacf8571ad8fef.pdf
    • https://static.usrfiles.com/ugd/b8c837_4086dd31989943a6ac7b80299b6be5a1.pdf
    • https://static.usrfiles.com/ugd/9cc572_bf3cecd54c054d3698924fafac09a8e2.pdf
    • https://cdn.shopify.com/s/files/1/0434/8067/8564/files/les_expressions_en_allemand.pdf
    • https://cdn.shopify.com/s/files/1/0431/6980/8550/files/thane_home_guard_bharti_2019_online_form.pdf
    • https://cdn.shopify.com/s/files/1/0431/7151/2480/files/powertec_multi_system.pdf
    • https://cdn.shopify.com/s/files/1/0429/5298/2684/files/visazatagutuw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000fa9d.bin
ce0f51a52ff476378dc1eda65602efa354b8e57983db400c52084ea1424ea603		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFA9D 32224 bytes
font_00_sfnt_off0000ae6f.bin
9b1800d0f850c97b8ed431118c952ce1614e3ea5ce39674d1147f43ed51411af		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE6F 4068 bytes
font_01_sfnt_off0000bc4f.bin
a489bf08ab8891d1e7315ff817194aefb63cf5db83a0dfeb7f93f06c4cce0f14		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC4F 18688 bytes
font_02_sfnt_off0000da20.bin
9d0ceb37124930c1ce8b3c329f1a5752c14874144df7749d0a56b8a3dff5e8d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA20 9436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.