Malicious PDF — malware analysis report

Static analysis result for SHA-256 48bc42b29d6abb9c…

MALICIOUS

PDF

109.0 KB Created: 2020-09-19 21:05:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cd58fca2fb6608bdbb0bb8fa97eb987f SHA-1: d6724baa6cd2dea71f1859e719397a7079b68b38 SHA-256: 48bc42b29d6abb9c30800c2db8d85922eaac259b8f9a3651f94d306cf03a0495
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link that redirects to malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body text and embedded URL suggest a lure related to a 'taleo assessment answer key'. The PDF_SEO_LINK_FARM heuristic indicates the PDF is part of a larger link farm, likely for SEO manipulation or to distribute malicious links. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=taleo+assessment+answer+key
    • https://36ca2e52-3ea7-4a01-b1f9-f5408725eba9.filesusr.com/ugd/a01749_4009751739ba49a4b6e9298671dffb8d.pdf?index=true
    • https://39afb891-e09f-49f7-98ad-51f17c2f5b22.filesusr.com/ugd/3283b0_503355b6d6d64f2c991e455c62f2bfec.pdf?index=true
    • https://a30391d6-034d-4239-845e-be6f027e7f15.filesusr.com/ugd/cc3ca9_a28ffa76197d4f9c9b1cde7cc738e456.pdf?index=true
    • https://201f99cb-bb30-4b68-a50d-86f55e3923fd.filesusr.com/ugd/3ddeef_4e136fda664c4fe395c285ff470f1f04.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0431/5804/4827/files/disturbed_indestructible_songs.pdf
    • https://cdn.shopify.com/s/files/1/0435/4854/1079/files/kitalafijirododomaxexel.pdf
    • https://cdn.shopify.com/s/files/1/0430/1327/5811/files/luratizubem.pdf
    • https://0352c3df-e710-4213-90eb-7de2ade09cf4.filesusr.com/ugd/9d7ad9_981e94ebe4bf44bab2899e9adc91b95a.pdf?index=true
    • https://ce63dcea-7c8c-4295-9942-cfabe1db6a63.filesusr.com/ugd/3b0c81_8f502fe457b148bf95bf9745ba9ac0fb.pdf?index=true
    • https://d42ab887-c706-4dde-af4b-dcee53605b1f.filesusr.com/ugd/205ae4_999bd4a68f6244f89208364539229cd0.pdf?index=true
    • https://fd97b1bd-06ec-4626-9f80-4192249f1e2b.filesusr.com/ugd/0789d5_88944ccdac164ce5b7fb5f870b8bf209.pdf?index=true
    • https://c279cdd2-7aad-498f-838d-97896d56a17a.filesusr.com/ugd/800b88_f9f2c8ab50b240e3aa9bf9ba84bf9b8a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001625a.bin
adfb66fa400507b7ad8d9d1aa4eb81c259579314d4a42a5209b65da37f5d9adb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1625A 4776 bytes
font_01_sfnt_off0001728e.bin
dd3efff9774d9fec3a22d9962a9b305deb0c313c9455ce9419440fe22d8ed62a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1728E 11268 bytes
font_02_sfnt_off000198f1.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x198F1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.