Malicious PDF — malware analysis report

Static analysis result for SHA-256 54ec1925c81c6a4c…

MALICIOUS

PDF

56.3 KB Created: 2020-09-17 01:45:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 090810a7817a60df307174a2f99f134b SHA-1: 5dd03eab6f0822489530b7a66689130961fd27cb SHA-256: 54ec1925c81c6a4cd2db706bc326eb328fe271acdef2c6b40773f77227215dc5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

This PDF file contains numerous embedded links designed to redirect users to malicious websites, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM heuristics. The document body, though partially corrupted, includes a URL that appears to be a lure for 'ukulele chords chart for beginners', which is then followed by a malicious redirector URL. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern involves luring users to potentially harmful content through a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=ukulele+chords+chart+for+beginners
    • http://kadodevi.adelantechc.org/uploads/1/3/2/6/132682878/siwiruba-lebuduj-bunibuzowiwo-vofuxa.pdf
    • http://dogif.alexbaltodano.com/uploads/1/3/2/6/132696056/2cad32d.pdf
    • http://files.familyconnectionscounseling.net/uploads/1/3/1/0/131070161/tifokufigef_rugovebagef.pdf
    • http://files.cpuandmore.com/uploads/1/3/1/3/131380158/tusilasakexam_pabiz_dokafeten_kudiziw.pdf
    • https://efb762b9-44ef-4b90-90b9-567ededf6f01.filesusr.com/ugd/46bfb0_59b8a036cf284fabb057dde34067dba0.pdf?index=true
    • https://7b0fb974-629c-4a4d-9945-a4d68db00b6e.filesusr.com/ugd/c63dba_1c671b1a85124d36a9a15e3b8a0d32d7.pdf?index=true
    • https://78ada765-943a-46d3-ace2-2ff1984f8e57.filesusr.com/ugd/65e777_b0fb70ade58f4f6ba04dcb19d5403a26.pdf?index=true
    • https://a43c107c-c7b4-486e-93b1-c12fd5910aa6.filesusr.com/ugd/98e2de_87df0cf493b74fbd9e77087338be8610.pdf?index=true
    • https://986d1b63-eb15-4c26-b8bb-1eb4d1fa92e1.filesusr.com/ugd/7dfe85_f8a24119354d420da8d8d96c15d3be14.pdf?index=true
    • https://144dd961-ab3b-4b5f-a036-b73fb9695ffb.filesusr.com/ugd/7a359d_bfd49d8b34924233b7fc5bea7689fd3a.pdf?index=true
    • https://a01007cf-fd11-45f5-9713-4ec5b9cd3d49.filesusr.com/ugd/4542d9_6304cc100e6d4099b855db9e4ec59287.pdf?index=true
    • https://8a0b4c9d-79d5-4026-aaef-9734de184b44.filesusr.com/ugd/e50c99_a6ad9b396c99449ea1fed211211185a4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009146.bin
40dc51e6dbda1b6dd722c7ad5430c37ede9ea039cc47ecfbaf2cfffac88ffb17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9146 5360 bytes
font_01_sfnt_off0000a373.bin
4b8b62161b83a28d11b08eb258986f2718dea74476c72aa686ab893db057be23		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA373 10104 bytes
font_02_sfnt_off0000c616.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC616 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.