Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c6c90f43c7a706c…

MALICIOUS

PDF

78.7 KB Created: 2020-09-17 11:55:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 649a9d35290bb61d40a40e327fec9a81 SHA-1: 003e47a54065c2495932fb0944a7f6683472bc1b SHA-256: 5c6c90f43c7a706cd8c646301d5a48cb9f852d506b67f04eabd47946bd81a639
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a link farm and is flagged as a malicious redirector, pointing to an advance-fee scam lure. The document body, though heavily obfuscated, contains text related to 'tv guide' and a URL that appears to be part of a phishing or scam campaign. The ML classifier strongly indicates maliciousness, and the presence of embedded links suggests an attempt to redirect the user to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=tv+guide+fayetteville+nc+28303
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cd647963-d2fe-4727-9851-7f44fecbac58.filesusr.com/ugd/197ed4_9083cca09246461c9efa0a990eb85447.pdf?index=true
    • https://f6c366fc-f807-11ea-a328-fc4dd43d38a6.filesusr.com/ugd/d775a9_904bc3f8fc494568b564d372cb15ead6.pdf?index=true
    • https://a250f9a7-1a9e-4afd-b532-28745c7cd246.filesusr.com/ugd/d3758e_e5419d2675e44f76acba59da565a7009.pdf?index=true
    • https://d173b092-3944-45cb-ac27-16b0e7dfc37c.filesusr.com/ugd/8a419d_df98e04d40114a5291bb9abb9dc1efaa.pdf?index=true
    • https://63c75e1e-8e41-449d-b18a-94da43d0a3e8.filesusr.com/ugd/b6bf5b_58d74c709d014c80a9dd71fe3c59bc00.pdf?index=true
    • https://7d55ab2e-7f39-47c2-acc4-28c25295e08b.filesusr.com/ugd/3402b1_6140bd1196aa4c62aca674f6f0edfd6a.pdf?index=true
    • https://38d6518e-fa58-4846-a212-e3e1b963eb15.filesusr.com/ugd/595093_bcac979856c54c978180652a31d4d0f7.pdf?index=true
    • https://f99c7f02-6b1b-4b81-b209-696396a32dc1.filesusr.com/ugd/f9fac6_aab7f1ef5b0d482495dfbf8ca512c676.pdf?index=true
    • https://237aa693-7ac9-496b-958d-19980e311d7d.filesusr.com/ugd/717a42_bf2bd0983f50440a9fe9d648f2058132.pdf?index=true
    • https://5466d8e0-1ace-4905-8589-eef4b317a3b7.filesusr.com/ugd/3f80ec_7552a7012dfe408fab6d28def59f8a16.pdf?index=true
    • https://2c1090e7-3791-4962-b3d9-600851056b7c.filesusr.com/ugd/740d8c_e23a0ef4c6a841e7a0b90dcab0fec9c8.pdf?index=true
    • https://579e8587-cbc5-4583-a5ea-65619eb39b23.filesusr.com/ugd/e49726_75a0802962064e1885c4938a1f0a8455.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0438/4122/4869/files/8363523467.pdf
    • https://cdn.shopify.com/s/files/1/0440/2587/2549/files/todetofimak.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f049.bin
8218b2c62b3c090b9a68e8f868316dfae02d2bd9f3ad5fd4c3a7ea7f6f7a3a22		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF049 5660 bytes
font_01_sfnt_off000103b7.bin
96de371cf41eb27a9c3c9f8d9a0dd7ebf2a0e95635e20fe02729c3652808ee69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103B7 12104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.