Malicious PDF — malware analysis report

Static analysis result for SHA-256 418f095ecce80335…

MALICIOUS

PDF

77.1 KB Created: 2020-09-09 23:41:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0d09cd7aa90faab28735ac6436ab6359 SHA-1: d71ab6966d1cbbd66df6efaf08bbeb5cb486faca SHA-256: 418f095ecce80335f404a184e8a7c397dd5f6c4a37d248f7eda4da4dcb901e71
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged as malicious due to a high ML score and the presence of numerous links to external PDFs, indicating a link farm designed to redirect users. One critical heuristic identified a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains URLs that align with the observed link farm behavior. The primary intent appears to be directing users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=f%2526+b+service+book+pdf
    • http://xeradon.countrycounselor.org/uploads/1/3/2/7/132712358/19edebaaf5.pdf
    • http://woketapud.mummydoctorlife.com/uploads/1/3/1/3/131398252/dopobonela.pdf
    • http://jipawi.hosseinradmard.com/uploads/1/3/1/1/131164557/6237549.pdf
    • https://static.usrfiles.com/ugd/25c42e_e30765714268456fb4b59f00969c63e8.pdf
    • https://static.usrfiles.com/ugd/c83fdb_45671da97fdf4e1fa83c26e0a6576168.pdf
    • https://static.usrfiles.com/ugd/c3548c_bba4fbc2b04b4cfb83af4c3e59922cad.pdf
    • https://static.usrfiles.com/ugd/b88e3d_11b22d4a88fe47e1b429b68b02444400.pdf
    • https://static.usrfiles.com/ugd/72216b_941af1927d584de4aad49503f17befd9.pdf
    • https://static.usrfiles.com/ugd/bd7df1_326c3d9378164c2088b6e0a7e811ae82.pdf
    • https://static.usrfiles.com/ugd/d99ef3_2ccab23b6c51464db47f1650bbacfd88.pdf
    • https://static.usrfiles.com/ugd/a891c0_c08a4a4b1ce7455eabb326b5825b10e8.pdf
    • https://static.usrfiles.com/ugd/37428b_0a8ae18aff4b492b90c85a127c4e0759.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c91.bin
4dceb5057e319a74df311ccd436169ef3ff02d14576aaa3fe62b613bc59886a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C91 6824 bytes
font_01_sfnt_off00008de6.bin
b12c47d705f081a3308597a0a99d8e4be37a1149eacc97c5610286eeef3c83ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DE6 4112 bytes
font_02_sfnt_off00009baa.bin
9a23e920219121f26793fb0697b42c34bbb36974cc42e210e5a9b6d3d166db27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BAA 6196 bytes
font_03_sfnt_off0000aaaf.bin
711391b59f02241273769fb8482f7f37cffc0010c711f5b8b8feeeadc179cbec		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAAAF 1952 bytes
font_04_sfnt_off0000b3f8.bin
21fe71cf6b82e04e0032cf2a0d808bdc4c9193215aeec8591ededf1505a91778		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB3F8 27448 bytes
font_05_sfnt_off0000fc22.bin
3c82924f5ab67ef756cbbf31822fe0f3c2c2744bc04372b6d983ae012810b0fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC22 17312 bytes
font_06_sfnt_off00011582.bin
1fac13daf0ae605acbce388f010dfa4ce711d1a2bc62dfd2b562e81854678476		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11582 6472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.