Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ceabd817a1e40c6…

MALICIOUS

PDF

70.4 KB Created: 2020-09-01 14:04:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 480d8dc87b767bfc1958394172b96c27 SHA-1: b5d852d6afb7019fa6f14514103979c17e2b859d SHA-256: 0ceabd817a1e40c6e7f96e1745c57faea52fb18db1cb23a9ee24c5137f84b316
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, which is a common tactic for phishing or malware distribution. The document body, though heavily obfuscated, contains the same URL and appears to be a lure related to search results. The presence of numerous external PDF links further suggests a link farm or SEO poisoning attempt to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=dj+remix+telugu+language+songs
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://static.usrfiles.com/ugd/05900a_e200d99c9d1a44588026bb4237aaf227.pdf
    • https://static.usrfiles.com/ugd/7ea8bb_88df5de83c034c8fb21a3b6fbc99e521.pdf
    • https://static.usrfiles.com/ugd/d01287_5394aedaf1c34ee990ddbcfbcf0714eb.pdf
    • https://static.usrfiles.com/ugd/7e6083_3915c9a0fe3e4b9cbd27bd49a0d23055.pdf
    • https://static.usrfiles.com/ugd/3b0c81_98186376c7ac4ee88f9fce485a34aa63.pdf
    • https://static.usrfiles.com/ugd/1e32c2_a25e9dbeddef4990a42096682d774868.pdf
    • https://static.usrfiles.com/ugd/a2d007_d305297f221d470abb132464daafc438.pdf
    • https://static.usrfiles.com/ugd/a107db_a0cf101b58d441a2b38fc9cdb96aa58c.pdf
    • https://static.usrfiles.com/ugd/09273f_7d54e22cb7eb4674bc8c4378576024da.pdf
    • https://static.usrfiles.com/ugd/0aab01_8e45b215dea64acd990e5053c5a72fa7.pdf
    • https://static.usrfiles.com/ugd/d2cc1f_e7848b876feb4d5690b727a0366b66ae.pdf
    • https://static.usrfiles.com/ugd/565485_bfc9f208c1a64289836ab51b9d80bbe7.pdf
    • https://static.usrfiles.com/ugd/b9801a_90430a354e97446fb3901c7905c692d2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006874.bin
acedc839b4d9e0716bdd525cb02e6b9c5dd6d9e8c8e580849d6460eb072ede0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6874 6384 bytes
font_01_sfnt_off0000782a.bin
077982246cbb0fa459262e299150923d57012286287364ddf14015e7ebb80142		 pdf-font-stream PDF embedded font (sfnt) at offset 0x782A 5148 bytes
font_02_sfnt_off0000899c.bin
6539b129c5cd894636dc8f40f53a156c00c8f46378ab4f137c96d687a1cff6ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x899C 3720 bytes
font_03_sfnt_off000094fc.bin
b38666d906a1af66aa51de4dc66c2521b0d65ccee8baeb9217d8064ee5a0c9b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94FC 6000 bytes
font_04_sfnt_off0000a8b8.bin
d3d805191838e9f74edd25ad1e1161f1d7e505297b89056555065b2bfe34b45f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8B8 4268 bytes
font_05_sfnt_off0000b99c.bin
62cb605b7613acdbcda9750c2fbec58146cb719b9a5d5f35428619319b788a9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB99C 10900 bytes
font_06_sfnt_off0000df08.bin
792841c33bad64d1a5d5deb5e14f4bc9e2eabf20f8898ab218d62f13f42da9ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF08 16760 bytes
font_07_sfnt_off0000f6ab.bin
9c522176bcda3b4f67629bba8e0712e08890bef8c1e9cdf70e3c7baba253feed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6AB 3052 bytes
font_08_sfnt_off000102a1.bin
0d9b6ab0354368cdfa5a4e52e4dfb250ede80cec4283e48fafec0a3c1c1d30df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102A1 1736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.