Malicious PDF — malware analysis report

Static analysis result for SHA-256 12c0dd39e4586fc0…

MALICIOUS

PDF

50.4 KB Created: 2020-08-08 12:48:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84654e4fa3807f13966bea4324425642 SHA-1: c31d9775a375f167282a14cbb3e5cfb3889c2ff1 SHA-256: 12c0dd39e4586fc0d55e0f60da60e92e2096189719e7a23fd3688067f68af4e9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded links, many of which point to a redirector service. The primary malicious link, 'https://ttraff.cc/pify?keyword=avadhoota+gita+pdf', is flagged as a malicious redirector. The document's structure and the presence of numerous links suggest an attempt to drive traffic to malicious infrastructure, likely for phishing or malware distribution. No scripts were extracted, but the PDF structure itself facilitates the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=avadhoota+gita+pdf
    • http://files.earlychildhoodpartners.com/uploads/1/3/1/0/131070520/1284791.pdf
    • http://vaziw.sawyerscluster.com/uploads/1/3/0/8/130815017/c886e56b.pdf
    • http://xewuxa.younggunsfishingteam.com/uploads/1/3/1/4/131453194/nopozu_fufofejodanal.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0438/2982/1597/files/wireless_network_topology.pdf
    • https://cdn.shopify.com/s/files/1/0430/9339/3557/files/zemowulijelokud.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/57727452667.pdf
    • https://cdn.shopify.com/s/files/1/0430/2487/5674/files/mapa_politico_europa.pdf
    • https://cdn.shopify.com/s/files/1/0427/8360/4903/files/pagejaropevidejaxiwujetek.pdf
    • https://cdn.shopify.com/s/files/1/0433/5714/3199/files/tuvaveli.pdf
    • https://cdn.shopify.com/s/files/1/0432/6447/5299/files/sun_beam_grill.pdf
    • https://cdn.shopify.com/s/files/1/0437/2601/2567/files/nahmias_production_and_operations_analysis.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/7082322425.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/51686393220.pdf
    • https://cdn.shopify.com/s/files/1/0441/3734/9272/files/geauxbiz_annual_report.pdf
    • https://cdn.shopify.com/s/files/1/0429/7133/2767/files/towidemafi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007be9.bin
7d0bee82ef6e8c5e8a068a8811b6d2d521e7b0de6e2f833a403377eaef1f7e23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BE9 5044 bytes
font_01_sfnt_off00008d24.bin
ea9250ebf5c46af607f97a142504d4a30520e427030f76c05ff3721ff13c760d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D24 10120 bytes
font_02_sfnt_off0000b004.bin
34b72212eb117f3a49ac0eb956dedbce6e5c22b97d6ef98639fd6fe91a3f9c65		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB004 3260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.