Malicious PDF — malware analysis report

Static analysis result for SHA-256 172605f9483cc674…

MALICIOUS

PDF

40.2 KB Created: 2020-09-19 22:13:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9888d959f5f7e21f968ba3b18f48d9b9 SHA-1: 0a20d16b2162d14578b42e441bf6f8a16fe123e7 SHA-256: 172605f9483cc674d0ec322779bbb888bc7260353d61db6c4896d66344dd0582
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs, with at least one identified as a malicious redirector. The document body, though heavily obfuscated, contains references to URLs and appears to be a lure for a manual, likely to trick users into clicking malicious links. The ML classifier strongly indicated maliciousness, supporting the conclusion that this PDF is designed for malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=watts+premier+wp-4v+manual
    • http://files.divinesoulenergy.com/uploads/1/3/0/9/130969819/d55ccdadbe3c.pdf
    • http://files.thelovelyphotographers.com/uploads/1/3/1/8/131857650/jaduzutivaku.pdf
    • http://gekud.timmurphyportfolio.com/uploads/1/3/1/8/131856491/4820565.pdf
    • http://files.nativeamericanfluteshop.com/uploads/1/3/1/6/131606111/e74ae65aa438031.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://94b3b21d-14ee-4d2b-a80f-d993f6e6c342.filesusr.com/ugd/8bf3fc_30acbcf13065495898cd4174eed0d719.pdf?index=true
    • https://cdc29b3d-d28d-4aa0-bf7b-ac0ec6a808a9.filesusr.com/ugd/9219f8_b2f3d2e5633c4a4693327510e958a7ab.pdf?index=true
    • https://149979aa-9adc-46e8-948c-b0ef12b989cb.filesusr.com/ugd/e5412a_7b1dada6420d41dc8ec41a2390d33206.pdf?index=true
    • https://28ab5751-823e-4824-b5e7-8f98c278bef3.filesusr.com/ugd/ede58b_d7049e61da77438caa776f9101b59422.pdf?index=true
    • https://1c8d41d2-fac5-4a45-ba9b-ca111d187aab.filesusr.com/ugd/db80c5_1c33daa0168348f98a486ec87984f5ea.pdf?index=true
    • https://9055b318-6c5b-483c-95c1-4e1459349e3c.filesusr.com/ugd/03ef8e_f205b4fe881f4a9ea278f1e38d4f8911.pdf?index=true
    • https://64ee607c-c710-4a06-9f26-58a988241327.filesusr.com/ugd/c8683e_2efe1f4c64294763b1fe0a85590f46c0.pdf?index=true
    • https://7d00b453-6c43-405f-9334-006f59e05c5f.filesusr.com/ugd/cf9ff1_973fc6132b524c9ab49976a701c9a287.pdf?index=true
    • https://3e2ed1fa-a259-4143-8e8d-cf2237eebfd8.filesusr.com/ugd/bd1c09_0ba50325a1f4425b8bfc30ee951994be.pdf?index=true
    • https://e7812d6c-be6d-464f-89b5-107739b5807e.filesusr.com/ugd/882da0_7546eb7c3f214faaa2851a72e7d2d4e0.pdf?index=true
    • https://b888bd98-6c84-4993-a3df-9ace5b551e04.filesusr.com/ugd/d2057d_e13cf19a4f1e472f84f5b5113caeba69.pdf?index=true
    • https://57480b05-7041-4ea7-a1ca-b2bb194ae7d2.filesusr.com/ugd/e2c223_4f6fe35e4a694162af1857877edd966c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000520f.bin
1c8b6aa7633966e33be098bb0fed175521c4b57d51e859c1f5891ed7a5a185f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x520F 5024 bytes
font_01_sfnt_off0000632b.bin
61b33954304d5fa4ee6054264a23497fb707b0017778660cd11fc62b8253a915		 pdf-font-stream PDF embedded font (sfnt) at offset 0x632B 10216 bytes
font_02_sfnt_off00008619.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8619 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.