Malicious PDF — malware analysis report

Static analysis result for SHA-256 135051a2178391ce…

MALICIOUS

PDF

55.8 KB Created: 2020-08-26 10:39:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dbfe16c20a809f6c7709de587d2d9c0e SHA-1: a75de2365b43fb7bf3a49a8c77fdde23ef7723be SHA-256: 135051a2178391ceef5e5333a083626f5962058baa4362f8987184896206bd89
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains a URL that is also flagged as a malicious redirector. This suggests the primary goal is to direct users to malicious sites, likely for phishing or to download further payloads. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=yakuza+0+telephone+club
    • http://nowilul.cambusnethanpriory.com/uploads/1/3/1/3/131381204/4a54d40.pdf
    • http://sutabe.insideoutnh.com/uploads/1/3/0/9/130969352/3107458.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0432/6657/2452/files/fakemojurubijib.pdf
    • https://cdn.shopify.com/s/files/1/0435/2661/9300/files/30269183307.pdf
    • https://cdn.shopify.com/s/files/1/0431/0004/5465/files/kabavenavo.pdf
    • https://cdn.shopify.com/s/files/1/0437/5301/3409/files/nodejs_validate_email_format.pdf
    • https://cdn.shopify.com/s/files/1/0438/3863/6192/files/24978960138.pdf
    • https://cdn.shopify.com/s/files/1/0436/9884/7896/files/ibm_rational_appscan_tutorial.pdf
    • https://cdn.shopify.com/s/files/1/0440/0663/7726/files/96773283114.pdf
    • https://cdn.shopify.com/s/files/1/0433/4646/0830/files/kunelopobatuwesidurelugev.pdf
    • https://cdn.shopify.com/s/files/1/0433/9089/4247/files/nekker_witcher_3.pdf
    • https://cdn.shopify.com/s/files/1/0428/9832/5663/files/damenevixuselogem.pdf
    • https://cdn.shopify.com/s/files/1/0440/7279/6310/files/nazatomabosamewuv.pdf
    • https://cdn.shopify.com/s/files/1/0435/6263/1326/files/neuralgia_del_trigemino_tratamiento_fisioterapeutico.pdf
    • https://cdn.shopify.com/s/files/1/0428/8466/1414/files/51003755174.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bb6.bin
a988c108db5e578128918098e3dd7a9e7d442fabdc328ae1dd551ff77172da31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BB6 5104 bytes
font_01_sfnt_off00008d03.bin
de9389e3c85eef856688fac6186c2c3f81b731a2d958c650cd787edcd75f1b2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D03 4440 bytes
font_02_sfnt_off000098eb.bin
b4f6c855c9d7a3fa89c412c499f0b51ee683522d76dc1bb9cac141a9bc7527bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98EB 10380 bytes
font_03_sfnt_off0000bca0.bin
d79f8630c379324a8adf2ace1ac13854873a4a312a92cebc5b57330f95112618		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBCA0 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.