Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d61124ea2d0a0f6…

MALICIOUS

PDF

43.7 KB Created: 2020-09-21 03:32:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e4775cb831cb57b292cf7ee1b33b0b5 SHA-1: ec0e9958a5953a3ddfe4995cf1b6b013fd0e2d89 SHA-256: 0d61124ea2d0a0f6b681f0b0b50dce62543d136712516498d87e8932c21020c0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links that point to a redirector, which is a common tactic for phishing and malware distribution. The ML classifier strongly indicated maliciousness, and the PDF structure suggests it's designed to host a large number of links, likely for SEO poisoning or to distribute further malicious content. No scripts were extracted, but the presence of malicious links is sufficient evidence of a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=alice+in+wonderland+tea+party+invitation+template+free
    • http://files.fourpointsinc.org/uploads/1/3/1/3/131379591/bisexej_dugepubig_vovarigenata_jusutarijebupol.pdf
    • http://files.zenitude-uk.com/uploads/1/3/0/8/130813054/7426879.pdf
    • http://files.littlefrenchmarketcompany.com/uploads/1/3/1/4/131483209/9342348.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2404997c-3554-4be6-bac7-1bab149502a9.filesusr.com/ugd/46a5ae_6dc5d8f7c69d4862a1a5a26065a0df02.pdf?index=true
    • https://6e78aa24-0fad-450e-90e3-11180b9a22d2.filesusr.com/ugd/49be48_4036e61d962f47b2a3e30e7f6edd3bfe.pdf?index=true
    • https://0b5a56d5-d535-4b0c-913f-7f9131a6c641.filesusr.com/ugd/f2c1dc_4a3751d2f25e4474b11c9a26ea27f94a.pdf?index=true
    • https://f1a5ce7b-150e-415d-9f6f-1abeaa514be7.filesusr.com/ugd/8bf3fc_6bffa47ef9d04acf937b8ae7f604a1d9.pdf?index=true
    • https://f1fff72a-7e4b-44cd-adfc-4e54a47e89f4.filesusr.com/ugd/76aeb6_30f53cfa671d4eaba7857c671caa2b83.pdf?index=true
    • https://c3485e30-4195-4a5e-97e8-2d1799e9cc23.filesusr.com/ugd/bc0d1e_c04fe5be70e44da0929a6b0966b3bf43.pdf?index=true
    • https://2a9b0767-7a29-45e4-ba28-18268f12df4e.filesusr.com/ugd/99b222_a110a27c96554c228cdeb435e439294a.pdf?index=true
    • https://2a374a4b-07d0-4a3e-a1ad-e615570f26f5.filesusr.com/ugd/de60da_aa1c7f30f4a24bdab0bd70a32790698b.pdf?index=true
    • https://a99da71f-2f9d-47f6-9b12-f05733712b19.filesusr.com/ugd/b8c837_0746f4a2ced24fdca15e4b4fefc1217a.pdf?index=true
    • https://b0a28761-1b06-4540-b46c-230d5fb0f100.filesusr.com/ugd/6116da_df6e86e598d64483a5977649454027bd.pdf?index=true
    • https://0f67a1b3-49c0-4c0a-8ad8-e961f9683a7c.filesusr.com/ugd/38bf1f_185e6e51f41c490da4b8332e067e6f55.pdf?index=true
    • https://dd16b7fb-d63d-4d1f-8914-1d6890bdffd3.filesusr.com/ugd/5aec95_17aa50b2e42d4083be7a8e93675dec5d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bc8.bin
3ace30be642b05edf0ed1cc53dbcbab656842637db17a254224b452d92cb9686		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BC8 5364 bytes
font_01_sfnt_off00007e16.bin
09e95b1d7c38e4a9f6a4c61b25fd77dc94fa05d82c763f6acd862620ad9d8d20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E16 10364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.