Malicious PDF — malware analysis report

Static analysis result for SHA-256 12aff8400de66f98…

MALICIOUS

PDF

69.9 KB Created: 2020-09-17 12:17:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45611824116548c0200ee46f1d9b22b6 SHA-1: 2ad76c792be8a8daf78f0500e19cbed17d023339 SHA-256: 12aff8400de66f980a39782afabe90786a42feafb63765112466232c462e2e6a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by a machine learning classifier and contains numerous embedded links. The document body, though heavily obfuscated, contains a URL that appears to be a lure for downloading software modifications. The embedded links likely lead to malicious redirector infrastructure or further malicious content, aiming to trick users into downloading malware or visiting phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=my+secret+bistro+mod+apk+happymod
    • http://dupepu.vcrhm.org/uploads/1/3/1/4/131452976/0a4208.pdf
    • http://jadet.thegiveagency.ca/uploads/1/3/0/8/130813784/3152502.pdf
    • http://guxekane.thebigbarmitzvah.com/uploads/1/3/0/7/130776760/jomejixuwuzow.pdf
    • http://files.mountainhomeyogacenter.com/uploads/1/3/1/3/131379615/gonorujawaginufew.pdf
    • http://ragatunu.diamondglamco.com/uploads/1/3/0/8/130873922/dotekewagutetu.pdf
    • http://zirununix.donnastocker.com/uploads/1/3/1/4/131408432/papadovejeko.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • http://www.daltonmaag.com/
    • https://0b7ee999-c10f-4988-8780-a6f87feb19d4.filesusr.com/ugd/e2c223_eed2c629b9be400b8e3c4bf5f0d9fcba.pdf?index=true
    • https://1b596abc-7c9d-40c6-a544-7b562ea69891.filesusr.com/ugd/217b8a_a86a164b180c46c79265433250116cfe.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0434/3247/6838/files/1783428707.pdf
    • https://cdn.shopify.com/s/files/1/0433/7670/5690/files/adobe_reader_apk_version_history.pdf
    • https://cdn.shopify.com/s/files/1/0429/3358/4035/files/27823385106.pdf
    • https://cdn.shopify.com/s/files/1/0428/6060/9692/files/attendance_sheet_format_for_teachers.pdf
    • https://cdn.shopify.com/s/files/1/0434/5852/7397/files/36293821873.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000c976.bin
980617da3d4c2d82b60d6a3480cbb18f3d308bb6c7614f60e9b48a37411199c0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC976 27604 bytes
font_00_sfnt_off00006b98.bin
40b3a2f80353cd7794414d6af9a57853169943473f3b51bc10c23de11a6ef2a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B98 5588 bytes
font_01_sfnt_off00007f22.bin
9a436335f002bff647e28896947591480f2660d2cde39ab20ef3d949bec78b54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F22 5276 bytes
font_02_sfnt_off00009109.bin
2da83060ad210a9a1743b04a22b2cc5ebb14ba7af64fbaa5f25da2d26a1b3d84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9109 6640 bytes
font_03_sfnt_off0000a2a7.bin
1c8b4293e575c34050fb848d5c5ee388ed061b2cff7328f23c03de9cbc42e962		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2A7 12236 bytes
font_05_sfnt_off0000f9fa.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9FA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.