Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f640dc531a15aca…

MALICIOUS

PDF

62.3 KB Created: 2020-08-10 13:20:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f8ae427d5295906613f6d9fbeaebf58 SHA-1: 3e3fed2f2280d3197e900a9d8281b36239003ba4 SHA-256: 0f640dc531a15acae8e1cd735e88c0f6eacee938857e1f6e3e25159e15ce3c01
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to suspicious domains, indicating a link farm or SEO manipulation tactic. One critical heuristic identified a link to known malicious redirector infrastructure at `https://ttraff.ru/pify?keyword=qaseeda+burda+sharif+urdu+pdf`. While no scripts were extracted, the presence of numerous external links suggests the document's primary purpose is to redirect users to potentially malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=qaseeda+burda+sharif+urdu+pdf
    • http://dexurugo.bodkacoffee.com/uploads/1/3/0/7/130776208/4b56b3a5.pdf
    • http://files.aogshoetique.com/uploads/1/3/1/0/131070820/xubuxovupa-dawova-wezudada.pdf
    • http://files.hightowerstaten.com/uploads/1/3/1/3/131384424/komologu.pdf
    • http://nikivef.zakiazdesigns.com/uploads/1/3/1/0/131071243/8dc5cc6ced62.pdf
    • http://files.westmontmusicacademy.com/uploads/1/3/2/6/132683484/2c9b5e.pdf
    • http://imgfil.com/18v457
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/6377/9240/files/96303110794.pdf
    • https://cdn.shopify.com/s/files/1/0440/8036/5720/files/gojevugajozunakokutoti.pdf
    • https://cdn.shopify.com/s/files/1/0437/6523/5866/files/add_python_2._7_to_path.pdf
    • https://cdn.shopify.com/s/files/1/0433/5131/0488/files/83463419879.pdf
    • https://cdn.shopify.com/s/files/1/0436/5818/2809/files/biologics_in_rheumatoid_arthritis_pdf.pdf
    • https://cdn.shopify.com/s/files/1/0429/9803/8679/files/febudiwovasimixeminuseb.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/86562581376.pdf
    • https://cdn.shopify.com/s/files/1/0439/3123/8555/files/98775923395.pdf
    • https://cdn.shopify.com/s/files/1/0437/7978/4866/files/83289300565.pdf
    • https://cdn.shopify.com/s/files/1/0437/8748/5342/files/71635468258.pdf
    • https://cdn.shopify.com/s/files/1/0430/4447/0945/files/rikelepafozujasosuwojerax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000c72b.bin
ec5e10424c3fa71b7fcfa1a827b4aa12e2707277837eb57f830a162b357530b2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC72B 21440 bytes
font_00_sfnt_off000083aa.bin
b90716426d23fd81ba146cefd202a29455009915e3eda50af4661b2b493c54aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83AA 5300 bytes
font_01_sfnt_off00009597.bin
185865b8511c66a4cc2390154fc5f319bb796a9198e5bdcd326de3e77f9cdbdc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9597 15976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.