Malicious PDF — malware analysis report

Static analysis result for SHA-256 5523ef1545a403ce…

MALICIOUS

PDF

40.4 KB Created: 2020-09-10 15:01:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0d60aff25cbad7683d61e8d49994fe47 SHA-1: dbfc12fe642cd47a1ab2356babd59e2b214b8ce4 SHA-256: 5523ef1545a403cec9d405a7862300557d27aa49a84c42d51e6d80e5e248b807
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, indicating a phishing or malware distribution attempt. The document body, though partially corrupted, includes keywords related to 'video maker software' and a URL that mirrors the malicious redirector's structure. The presence of numerous external PDF links, many pointing to benign Shopify domains but some to unknown domains, suggests a link farm or redirection strategy. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=video+maker+software+free++for+windows
    • http://voliloki.wellsviewstudio.com/uploads/1/3/1/6/131637881/74e404f9c2d.pdf
    • http://riviw.alakaiheritage.org/uploads/1/3/2/7/132712072/medede.pdf
    • http://bapawabi.beverlyjacobsart.com/uploads/1/3/1/3/131379730/lujitimaze_bopoli_rinebanokotad.pdf
    • http://files.lonestarweimclub.com/uploads/1/3/0/8/130813992/1428510.pdf
    • http://jogus.fulloflife.ca/uploads/1/3/1/8/131856543/571889.pdf
    • http://vokulu.soils-permaculture-lebanon.com/uploads/1/3/1/3/131384260/butaxada.pdf
    • http://files.davidscobiearchitects.com/uploads/1/3/1/4/131437733/1310309.pdf
    • http://resere.ravencreativeco.com/uploads/1/3/2/3/132303382/vagewagapudiv_vofobifaleri_mutafil_fobojubaxe.pdf
    • https://cdn.shopify.com/s/files/1/0432/5939/6254/files/cambodia_visa_form.pdf
    • https://cdn.shopify.com/s/files/1/0438/6055/7974/files/journal_of_physics_d_applied_physics_template.pdf
    • https://cdn.shopify.com/s/files/1/0433/4262/6984/files/39646441248.pdf
    • https://cdn.shopify.com/s/files/1/0440/8904/9238/files/85367232876.pdf
    • https://static.usrfiles.com/ugd/f3ecbe_b12cd0f7b6ed4687a08e44cfbdfe41ad.pdf
    • https://static.usrfiles.com/ugd/b73feb_b5e3780d38784514a083868c040caf5a.pdf
    • https://static.usrfiles.com/ugd/e1d12c_86e83e48420b45669961fb3fc0b073c1.pdf
    • https://static.usrfiles.com/ugd/dd4472_73fefb08025149b7acc0d34df195725f.pdf
    • https://static.usrfiles.com/ugd/e56fe2_cd7638ca5457417a820ecd2011f5a204.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060c1.bin
a0bfe939c564e6daab713826407f50b9b9aee2fa59dc4f76f762953246cbe237		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60C1 5144 bytes
font_01_sfnt_off00007241.bin
b103a4b38f0c364be6adbbff039b6306ed075ddc1260f34ded3bd0fd1a12d326		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7241 10052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.