Malicious PDF — malware analysis report

Static analysis result for SHA-256 16c14c21e76aafaf…

MALICIOUS

PDF

59.7 KB Created: 2020-07-09 07:45:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1caf1d5143205a98a040f443125e9a70 SHA-1: 18061d4ff680dac2f1c3403db09f1b2894c1e511 SHA-256: 16c14c21e76aafafcdb040305f8599bef2fc2cedc67a590c959bdbca06756df2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm or SEO poisoning tactic. One critical heuristic identified a link to known malicious redirector infrastructure. The document body, though obfuscated, contains a URL that likely leads to further malicious content or phishing pages. No scripts were extracted, but the presence of numerous links indicates a high likelihood of redirection to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wb?keyword=modified%20mini%20mental%20state%20examination%20pdf
    • http://files.donnysinge.com/uploads/1/3/1/3/131380251/1818407.pdf
    • http://files.bonusmath.com/uploads/1/3/1/8/131856844/vudapa_nufim_boritibor_ponapuribube.pdf
    • http://files.pacehighchoir.com/uploads/1/3/1/8/131871891/2056809.pdf
    • http://files.azkillerbeessoftball.com/uploads/1/3/0/8/130874518/jemizip.pdf
    • http://files.susangsterrett.com/uploads/1/3/1/3/131380476/441203.pdf
    • http://files.bigtrecreation.com/uploads/1/3/1/3/131379612/fasezojozixuf.pdf
    • http://files.allstaresher.com/uploads/1/3/1/3/131382406/batuze-sadadifobuzi-wovewasoralaveg.pdf
    • http://files.coxevolab.org/uploads/1/3/1/3/131380733/b435077a189.pdf
    • http://files.jovaunholmes.com/uploads/1/3/0/8/130873973/818c81.pdf
    • http://files.heatherseagraves.com/uploads/1/3/2/3/132302774/nufigidoruz-reverime-mojavo.pdf
    • http://files.mperezphotography.com/uploads/1/3/1/3/131398133/xopadonolu-pikixupok-gifolujun-fikigivifiv.pdf
    • http://files.oombaga.net/uploads/1/3/0/8/130874467/454fce2a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://norofila.files.wordpress.com/2020/06/pazavewonij.pdf
    • https://tipubek.files.wordpress.com/2020/06/jizurutunamitowida.pdf
    • https://gaxugemudozo.files.wordpress.com/2020/07/96733235241.pdf
    • https://mixumepenow322808010.files.wordpress.com/2020/06/93001797574.pdf
    • https://zoluvarij.files.wordpress.com/2020/06/83127712255.pdf
    • https://gonejajomu.files.wordpress.com/2020/06/xulumejazi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/40035930655.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dusegu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/53293114795.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rofan.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/titigabibuzumazavuxi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/5578033559.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/93616534700.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079e4.bin
b6c17d58a1ccf859e1df05611b4defbf0820a09efa7b9ac05ffa6b730cc1bb18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79E4 12772 bytes
font_01_sfnt_off0000a35a.bin
8ca610d38ae6acfccb5cd953959beb29a3d7c2919998853120ba0bf6fe0b0c44		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA35A 4952 bytes
font_02_sfnt_off0000b426.bin
930023a4d7113fe0dbd37513f07d7e0da0e8d2324d18eff0846e107f9fca6620		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB426 14120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.