Malicious PDF — malware analysis report

Static analysis result for SHA-256 14e4f41856b5e944…

MALICIOUS

PDF

45.7 KB Created: 2020-08-11 13:21:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cb0813c61163d1e59d7860a7333c8d30 SHA-1: 28c8b97d01df61d0762be414908fbf3aa7d9f56b SHA-256: 14e4f41856b5e94490769d6d6105ec8345889cff83ff94b3287e5c33c70c74e3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample is a PDF document that contains a large number of embedded links, many of which point to external resources. One critical heuristic identified a link to known malicious redirector infrastructure, and another flagged it as a PDF SEO link farm with over 30 external PDF links. The ML classifier also strongly indicated maliciousness. These findings suggest the document's primary purpose is to redirect users to potentially harmful websites, likely for SEO manipulation or to host further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=library%20of%20congress%20classification%20example%20pdf
    • http://files.stefczaksgreenhouse.com/uploads/1/3/2/6/132681579/937705734dbf.pdf
    • http://nuseri.embracingonesoulatatime.net/uploads/1/3/0/8/130814328/xokixikososalad.pdf
    • http://files.joinerystudio.com/uploads/1/3/1/3/131380889/5763458.pdf
    • http://files.keepitmovinginc.org/uploads/1/3/2/6/132683292/5561538.pdf
    • http://files.tworock4h.com/uploads/1/3/0/7/130776728/povefadavagajofugeb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0431/2032/8864/files/90618861429.pdf
    • https://cdn.shopify.com/s/files/1/0447/1137/9097/files/rumogenarafowasezojitelus.pdf
    • https://cdn.shopify.com/s/files/1/0431/4356/1376/files/40177681649.pdf
    • https://cdn.shopify.com/s/files/1/0437/3417/1800/files/31254662001.pdf
    • https://cdn.shopify.com/s/files/1/0429/2182/0313/files/23229179912.pdf
    • https://cdn.shopify.com/s/files/1/0431/4447/8874/files/11517134123.pdf
    • https://cdn.shopify.com/s/files/1/0440/8341/3142/files/biology_chapter_wise_questions_for_neet.pdf
    • https://cdn.shopify.com/s/files/1/0427/7554/3964/files/32565991546.pdf
    • https://cdn.shopify.com/s/files/1/0433/2149/1621/files/capitalismo_selvagem.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/34530012154.pdf
    • https://cdn.shopify.com/s/files/1/0432/5156/4707/files/arkabutla_lake_map.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006712.bin
bc075b8cb48a2911d4700a9f0b190e0a9bdb09cd10112535ebfac86a1baeac8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6712 5512 bytes
font_01_sfnt_off000079b9.bin
ec4ac91049aeda3d2abae25e5af57ed5a260c9ada27d61b487fcc9cfdb1eb8ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79B9 9908 bytes
font_02_sfnt_off00009b8b.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B8B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.