Malicious PDF — malware analysis report

Static analysis result for SHA-256 3aaa851d795dd675…

MALICIOUS

PDF

51.9 KB Created: 2020-08-14 15:03:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc6e8cb6bdcea9e7001ab6086822e4aa SHA-1: 372644253a377acac8a88e981e409642e8c59c2e SHA-256: 3aaa851d795dd6751e22434e9eab80c018d97f889a1eaadd24d353473e61626e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious Link

The PDF contains a significant number of embedded links, with one heuristic specifically identifying a link to known malicious redirector infrastructure. Another heuristic points to a large external PDF link farm, suggesting a tactic to manipulate SEO or distribute further malicious content. The ML classifier also strongly indicated maliciousness. No scripts were extracted, limiting the ability to determine specific payload delivery or execution methods.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=humko+bolte+hai+miya+bhai
    • http://votodo.louisefassart.com/uploads/1/3/0/8/130814674/puvojaxeku-rowux-fimuvepigexaz.pdf
    • http://kesowef.rollingthunderky5.org/uploads/1/3/2/7/132712358/7020428.pdf
    • http://files.wanderingpassport.co/uploads/1/3/0/8/130814769/petezasuxonuxaj.pdf
    • http://gosiru.shadowandthethrillonline.com/uploads/1/3/0/7/130776661/4102827.pdf
    • https://cdn.shopify.com/s/files/1/0428/4229/2390/files/jewod.pdf
    • https://cdn.shopify.com/s/files/1/0435/6525/2769/files/44975736634.pdf
    • https://cdn.shopify.com/s/files/1/0437/6946/2935/files/90225073708.pdf
    • https://cdn.shopify.com/s/files/1/0430/5145/0519/files/enlaces_qumicos.pdf
    • https://cdn.shopify.com/s/files/1/0431/2177/0657/files/24705109119.pdf
    • https://cdn.shopify.com/s/files/1/0430/1560/2337/files/39964218937.pdf
    • https://cdn.shopify.com/s/files/1/0431/8943/6580/files/liriwerafa.pdf
    • https://cdn.shopify.com/s/files/1/0449/9665/7320/files/rexuragesifafex.pdf
    • https://cdn.shopify.com/s/files/1/0436/0349/3022/files/77910259220.pdf
    • https://cdn.shopify.com/s/files/1/0454/3473/2712/files/13444736115.pdf
    • https://cdn.shopify.com/s/files/1/0433/3171/5225/files/safipibaduwa.pdf
    • https://cdn.shopify.com/s/files/1/0429/5072/1699/files/dalilu.pdf
    • https://cdn.shopify.com/s/files/1/0434/0413/2508/files/tirudesenevigujojajodavar.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d74.bin
e54c32584c3e6b1f664fa22617f16d365585a9fa62faa055166ad1f6450f2b6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D74 4916 bytes
font_01_sfnt_off00007e19.bin
e5ba312d2be63b299495fa20948499970b69753a671433bc17e84aef72ad553a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E19 15064 bytes
font_02_sfnt_off0000acbd.bin
8394e2b2867625f36f60b48a8789bed6127a5b7c6f9896a1eb056a29ee5405a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACBD 16188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.