Malicious PDF — malware analysis report

Static analysis result for SHA-256 45e82252334ff98d…

MALICIOUS

PDF

48.1 KB Created: 2020-09-19 02:57:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: def824d89441934e465169c80aeea35a SHA-1: 797e154aee5a6be7fb185b33115cada898f84124 SHA-256: 45e82252334ff98de71f8614bef5c40283b11cc53c12e5cc4a0924b47f077a64
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics for containing a malicious redirector link and a link farm. The embedded document body, though heavily obfuscated, contains the primary malicious URL. The presence of numerous external links, many pointing to files hosted on filesusr.com, suggests a strategy to obscure the ultimate destination and potentially evade detection. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=angle+side+relationships+in+triangles+worksheets
    • http://files.tasmanianpioneers.com/uploads/1/3/1/4/131411596/a46df5.pdf
    • http://files.catherinevanheest.com/uploads/1/3/1/8/131856257/69c904db3ed5878.pdf
    • http://files.therapeutichooves.com/uploads/1/3/0/8/130813528/texofanogin.pdf
    • http://sikaweg.expertcharlottelocksmith.com/uploads/1/3/2/6/132696558/vowisasoxokujifo.pdf
    • http://files.crcjapan.com/uploads/1/3/0/8/130814475/sujexem-banexawadama-xinow-datirizen.pdf
    • https://fab83f53-3b2f-
    • https://5b5a5a70-b6f5-4216-b546-45246bac23a0.filesusr.com/ugd/7603ae_653de6b639554cb689a95e6e51632c9c.pdf?index=true
    • https://a22d125e-5270-4b38-9aeb-37bb6fa7bd3b.filesusr.com/ugd/764aaa_b4fb12b0739a46e69abd9dd8898ff958.pdf?index=true
    • https://2ba762cd-963c-408c-8ef8-4eeda5f723a0.filesusr.com/ugd/1a94e8_5ac1bd9270224f9083f55e8ae4f2b471.pdf?index=true
    • https://ae931812-56d8-456a-962f-64562f905813.filesusr.com/ugd/d9d1f5_bf9a256d80ba40b196f3f7aa9738d7d6.pdf?index=true
    • https://e5ddf525-1a41-45ba-b44e-6f834f05c94a.filesusr.com/ugd/bcd086_9e73e84736ea4855a343af9975473286.pdf?index=true
    • https://43cad07f-684a-453b-bdd4-a3ffa2448a0f.filesusr.com/ugd/8a9bcc_7999d08c22ab41c58d7387663cd8af04.pdf?index=true
    • https://1d30848a-2187-49fc-8f8d-f51026072cd1.filesusr.com/ugd/d1fcfc_1288755570e04a9aac42c363126cbb26.pdf?index=true
    • https://64be0c1c-627d-4c43-8771-c782b7105a1e.filesusr.com/ugd/665c20_fa9d52394cb44dd0b1417338fc81928b.pdf?index=true
    • https://dd9da741-f69c-41f3-a925-477e6f16bde0.filesusr.com/ugd/e8dba5_8ed234ab87424970ad0a8f59a7050a87.pdf?index=true
    • https://43e6c63c-f0c5-4eda-b168-232ccb0f20b6.filesusr.com/ugd/a98ecc_2b930154d84b487fa5f216e5bb4664de.pdf?index=true
    • https://fab83f53-3b2f-4a28-a063-31dae032f6a5.filesusr.com/ugd/895bef_6350ee6b20904343ad29de69f7dfa01a.pdf?index=true
    • https://8144babb-34a1-4741-a294-5d6e95681f98.filesusr.com/ugd/5438e3_798827f791944733b5c359216f3a562f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006729.bin
ece96b037d2e2be8a7793c770f250fd5caee7fe7729558ba5af296a6659e5f96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6729 5368 bytes
font_01_sfnt_off00007973.bin
e15b7c99de8e54c68949a0add3b0c466f66441a15823ed16bbfaa138ab1ab72e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7973 10640 bytes
font_02_sfnt_off00009e14.bin
24c5c481937acf4f4841e6563a6d7a18cfdb810806c94b09ac0ff4033348c1e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E14 16072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.