Malicious PDF — malware analysis report

Static analysis result for SHA-256 13fa59a575cec433…

MALICIOUS

PDF

45.9 KB Created: 2020-10-16 22:48:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c231395c2e063ea5c4eaeb7dbd1e5b68 SHA-1: a4e136c0acf9114c21e017dc3c264e5756bdeeb1 SHA-256: 13fa59a575cec4339702da962d0d33cbafaf451379648f506c6c2f53ac141808
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded links, one of which points to a known malicious redirector. The document body, though heavily obfuscated, contains text related to an 'Oxford engineering science course handbook' and a URL that appears to be part of a link farm designed to attract traffic. The ML classifier strongly indicates maliciousness, and the presence of a malicious redirector suggests an attempt to lead the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/123?keyword=oxford+engineering+science+course+handbook
    • https://cdn-cms.f-static.net/uploads/4375699/normal_5f8999853883b.pdf
    • https://cdn-cms.f-static.net/uploads/4372072/normal_5f88b08b25942.pdf
    • https://cdn-cms.f-static.net/uploads/4369773/normal_5f89e6b3242ba.pdf
    • https://cdn-cms.f-static.net/uploads/4370051/normal_5f880704b7c2a.pdf
    • https://cdn-cms.f-static.net/uploads/4366366/normal_5f8713d264aa3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/53392c04-eaee-49ff-8d75-59014103b725/ruwinegisexat.pdf
    • https://uploads.strikinglycdn.com/files/d31cab1f-02ef-4067-b93a-f30db9ce0871/nixafegoxebizawidadibat.pdf
    • https://uploads.strikinglycdn.com/files/ae800146-97ef-4a84-bcc9-b176d3de6e08/lunobabewamabizekobarip.pdf
    • https://uploads.strikinglycdn.com/files/30e70beb-e8dc-43fc-a81d-b17c61f7083f/25426028545.pdf
    • https://uploads.strikinglycdn.com/files/e3dd1c68-5247-4e61-8c34-71cea98510cd/far_cry_4_free_download_for_pc_full_version_with_crack.pdf
    • https://cdn.shopify.com/s/files/1/0494/0031/6060/files/et_money_apk_file_download.pdf
    • https://cdn.shopify.com/s/files/1/0480/9703/4393/files/poverty_in_fiji_graphs.pdf
    • https://uploads.strikinglycdn.com/files/eca2925f-982a-4c14-b24b-bdaa6271b319/nolekaweridalo.pdf
    • https://uploads.strikinglycdn.com/files/21e2190d-1149-4c76-8005-aac9907407b3/badipitoxakanoje.pdf
    • https://uploads.strikinglycdn.com/files/83d87278-a9c6-4a5f-8759-c969f0cc06b5/sonaji.pdf
    • https://uploads.strikinglycdn.com/files/ba98e578-bdaf-4677-91dc-f1a9f2771988/wonemelumivif.pdf
    • https://uploads.strikinglycdn.com/files/a06c5fe1-d398-4b92-b4ff-6d7d71985acd/91370980616.pdf
    • https://uploads.strikinglycdn.com/files/d6dd523f-203d-4e88-8415-f27239b2dffe/tujetewijizubuxagekogo.pdf
    • https://uploads.strikinglycdn.com/files/a01a043d-4679-40d4-a421-35a79d8fa4fa/pesogugaxidamerafifosuba.pdf
    • https://cdn.shopify.com/s/files/1/0431/3723/7146/files/pathfinder_double_hackbut_build.pdf
    • https://cdn.shopify.com/s/files/1/0496/5711/8883/files/four_legs_good_two_legs_bad_literary_device.pdf
    • https://cdn.shopify.com/s/files/1/0428/8059/8172/files/88466147775.pdf
    • https://cdn.shopify.com/s/files/1/0437/8591/2477/files/bcba_study_guide.pdf
    • https://cdn.shopify.com/s/files/1/0435/4513/3207/files/manual_liquid_filling_machine_australia.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007256.bin
63edfbc12f0529607868773cb1ee7afc9b8d87078eb3a0b7faa1b402d1d512dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7256 5548 bytes
font_01_sfnt_off00008534.bin
5c571f1fa38e2ea1f9e06b67a08ca0e3a3ba59b88acea4a2fad1605b4b543933		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8534 11160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.