Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ce2f01e40e8e4c4…

MALICIOUS

PDF

102.1 KB Created: 2020-07-25 14:56:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a4d00a6e1a779fd09da37a532352a503 SHA-1: 69a37df966e502ba954d9ee88313026b7ef5f890 SHA-256: 0ce2f01e40e8e4c4a1d534111e8a6a13ef33d3daa14114a19d58345a599687de
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one identified as a known malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, suggesting a tactic to manipulate search engine results or distribute further malicious content. While no scripts were explicitly extracted, the presence of embedded URLs and the ML classification strongly suggest malicious intent, likely related to phishing or redirecting users to harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=android+one+mobile+phones+list
    • http://files.tashtinkennel.com/uploads/1/3/1/3/131397996/tetiduxuban.pdf
    • http://files.firstaidcomicstaylor.com/uploads/1/3/1/1/131163858/387445367.pdf
    • http://files.radsinternational.com/uploads/1/3/2/7/132712006/kerasivimo_tuwuridusuxig.pdf
    • http://files.paterpaulus.us/uploads/1/3/0/8/130874366/bakis.pdf
    • http://files.kingsporthorses.com/uploads/1/3/1/3/131383553/1742861.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://cdn.shopify.com/s/files/1/0434/7245/3797/files/75874936629.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/mupuxisupevijerabufogete.pdf
    • https://cdn.shopify.com/s/files/1/0429/7926/2615/files/54277330936.pdf
    • https://cdn.shopify.com/s/files/1/0433/0645/1094/files/pivugiteluguwes.pdf
    • https://cdn.shopify.com/s/files/1/0429/0389/6230/files/225999296.pdf
    • https://cdn.shopify.com/s/files/1/0429/0543/6326/files/7053457587.pdf
    • https://cdn.shopify.com/s/files/1/0435/4077/5064/files/51526497824.pdf
    • https://cdn.shopify.com/s/files/1/0429/7683/7785/files/pigizozexe.pdf
    • https://cdn.shopify.com/s/files/1/0429/9004/3285/files/60833897801.pdf
    • https://cdn.shopify.com/s/files/1/0431/1760/9122/files/bilutawakikasutas.pdf
    • https://cdn.shopify.com/s/files/1/0434/8477/4552/files/tititatagelabixugevotife.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/razikeruranofe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f82f.bin
dafad11b1dafb31ca7d46e80ed32c4ef0bf72320e611296dffcecb76709caa1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF82F 15800 bytes
font_01_sfnt_off00012ae5.bin
0ded4ba81f5b762cfd431ee395d1ea3eb1596fbcc1443efb654e5b1357ff4849		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AE5 4908 bytes
font_02_sfnt_off00013b44.bin
e61b3811f093904abc2a00a29bd45db1549685b1efe7dd4f1a6b778f27f6c0c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B44 9404 bytes
font_03_sfnt_off000155a8.bin
d89b09f2b64c6734236d239ba066a9aa611be179b1e7bd6520441c1a9670e13b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x155A8 10728 bytes
font_04_sfnt_off00017a80.bin
7739467849dd6acc85db8da4fb205d85f254e987f0da3444e2f94e3f74148569		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17A80 4756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.