Malicious PDF — malware analysis report

Static analysis result for SHA-256 1063ad8b6095e765…

MALICIOUS

PDF

83.0 KB Created: 2020-09-18 23:39:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00088286ae8103bf5a78f7c9ac9ee416 SHA-1: 484825cb1c75e65e8e8a368114221c66d4ddc96a SHA-256: 1063ad8b6095e765cf25e4c0f6155f2484c8e61dfd6a3700d098f46c27ea740d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of embedded links, many of which point to external PDF files. One of the primary links, https://ttraff.cc/wix?keyword=%25EA%25B9%2580%25EC%2584%25B1%25EC%2588%2598+%25EB%25AA%25A9%25EC%2582%25AC+%25EC%2584%25A4%25EA%25B5%2590, is identified as a malicious redirector. The document's structure and the presence of numerous links suggest an attempt to lure users to malicious or spam content, potentially as part of a phishing or SEO poisoning campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=%25EA%25B9%2580%25EC%2584%25B1%25EC%2588%2598+%25EB%25AA%25A9%25EC%2582%25AC+%25EC%2584%25A4%25EA%25B5%2590
    • http://vodiv.huonvalleyescapes.net/uploads/1/3/1/4/131438405/941987.pdf
    • http://files.allanlacoursiere.com/uploads/1/3/1/4/131438510/gadim-xogidizig-guxaparumot.pdf
    • http://kapedomu.quiltsforu.com/uploads/1/3/0/9/130969110/jalikodes.pdf
    • http://nutupal.jacksonandthepoolsharks.com/uploads/1/3/1/4/131406893/kelal.pdf
    • http://pavinixe.theimperfectmd.com/uploads/1/3/0/7/130776824/sewaruw_litafefusujele.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0433/5891/2662/files/chaahat_movie_480p.pdf
    • https://cdn.shopify.com/s/files/1/0437/4262/5953/files/attraction_movie_tamil_dubbed.pdf
    • https://cdn.shopify.com/s/files/1/0435/9667/7279/files/memorandum_report_format.pdf
    • https://cdn.shopify.com/s/files/1/0438/1271/6701/files/kofulejonumumujamera.pdf
    • https://cdn.shopify.com/s/files/1/0431/3815/4650/files/bulandiyan_song_full_hd_video.pdf
    • https://e728b248-919b-4288-8a5d-1071e3439463.filesusr.com/ugd/f390e7_6eb032e6e6014fea9ed67b79b259e961.pdf?index=true
    • https://f38e972f-dab2-4496-915a-e9b04049204a.filesusr.com/ugd/2b25b5_4032a594e5ff4915bd247a1f087b36a6.pdf?index=true
    • https://2f9aacda-23fb-4a77-ba47-d91ef33f1306.filesusr.com/ugd/8a9bcc_88c734a941c54777802f516f8cc1abee.pdf?index=true
    • https://e8f2692e-9b90-4263-a583-688f2b503aa4.filesusr.com/ugd/4329d7_bdf20c2772b24c1286453f3c80c24668.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000085a4.bin
5b7a25a9fbdd3774b71f920b7cc93697c2b13e363ae9b5bb493029b3bde8e974		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85A4 26552 bytes
font_01_sfnt_off0000d0d5.bin
037eac276a7637cf49141ca33e98d7ca7bcd4ea36cf68831b2e47d2ff58964c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD0D5 3744 bytes
font_02_sfnt_off0000de34.bin
39b723426ba3d8c138591a08cf7ac57ce1af2078f96d7f7cb3d2ce0498b9dbc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE34 3396 bytes
font_03_sfnt_off0000e93c.bin
6510163f02be11678397419bc627b8154fbcc03afcc39605ef518257491bd8c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE93C 15196 bytes
font_04_sfnt_off0001188f.bin
c5b81f703ebddc697e6824868dcd306aba919aa4c1ec28f594a83a04df97872b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1188F 16144 bytes
font_05_sfnt_off00012d8f.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D8F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.