Malicious PDF — malware analysis report

Static analysis result for SHA-256 12677db9c83474e3…

MALICIOUS

PDF

39.5 KB Created: 2020-08-31 03:03:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fba3aff1ce55015b5aa23e0a88462c7e SHA-1: 6ead0b4980527db44c2b025ec4893530cb222a30 SHA-256: 12677db9c83474e3637afa9775f6c22be3732c011a26b9f3ec94b9cc36ab7e82
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, indicating an attempt to lure the user to a harmful site. The heuristic firings confirm the presence of malicious redirector links and a link farm, suggesting a phishing or scam attempt. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=biggan+chinta+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/ea78e0_dbf63d74ae824586b8f89f062cc7b583.pdf
    • https://static.usrfiles.com/ugd/b8c837_44b0347737ab4394b3e02defa38c2303.pdf
    • https://static.usrfiles.com/ugd/d775a9_940cbbe798444ca58cb42c1b6f932cd4.pdf
    • https://static.usrfiles.com/ugd/bf650e_e76e7db667184a7fa9904a85e0ca1ab4.pdf
    • https://static.usrfiles.com/ugd/3be3a7_7fe109e58e0549c0a2b67f306eab74da.pdf
    • https://static.usrfiles.com/ugd/b8c837_ec6dc4abfed24e0485d191fad560d80a.pdf
    • https://cdn.shopify.com/s/files/1/0435/0086/3643/files/legendary_weapons_gw2_guide.pdf
    • https://cdn.shopify.com/s/files/1/0434/1802/6140/files/87807951739.pdf
    • https://cdn.shopify.com/s/files/1/0431/6856/3351/files/84313673664.pdf
    • https://cdn.shopify.com/s/files/1/0435/9703/7730/files/xomuzafawapif.pdf
    • https://cdn.shopify.com/s/files/1/0429/1277/6351/files/87701797975.pdf
    • https://cdn.shopify.com/s/files/1/0428/3292/0739/files/99717452653.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e4f.bin
d3fe43aee7462626b53fd8f35b1601d0ac54c94ada9df54f763b5410f5ad1f7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E4F 5160 bytes
font_01_sfnt_off00006fd9.bin
786d074d526a93a22c87d66bb60b8af6587e14a2c6a0bb7d12ea36a77aea3fbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FD9 9964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.