Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d108a4c0554c4dd…

MALICIOUS

PDF

74.0 KB Created: 2020-08-31 00:41:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eab3961c969cd156b06c5479729e7d87 SHA-1: e5a38ee84cb0398a772a5abc64863a864e1d3774 SHA-256: 5d108a4c0554c4dd59a7c2b0030e4d693f288ca747775c40d2ce38c2b7485c54
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links that point to a known malicious redirector, indicating an attempt to lure users to a harmful site. The ML classifier strongly flagged this PDF as malicious. Although no scripts were explicitly extracted, the PDF structure itself facilitates the redirection, likely as part of a phishing or malware delivery chain.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=%25D8%25B1%25D8%25A8%25D8%25A9+%25D8%25A7%25D9%2584%25D9%2585%25D9%2586%25D8%25B2%25D9%2584+%25D8%25AA%25D8%25AC%25D8%25A8%25D8%25B1+%25D8%25B9%25D9%2584%25D9%2589+%25D9%2585%25D9%2585%25D8%25A7%25D8%25B1%25D8%25B3%25D8%25A9+%25D8%25A7%25D9%2584%25D8%25AC%25D9%2586%25D8%25B3
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/1a89c8_f8261b787947428f9a9ab9c833c27144.pdf
    • https://static.usrfiles.com/ugd/b98abb_254e89c4ef5647018d0d2449917bb423.pdf
    • https://static.usrfiles.com/ugd/f09a9d_30249bd865184284af4e736806e3e861.pdf
    • https://cdn.shopify.com/s/files/1/0434/5951/0424/files/ashoka_chakravarthy_telugu_songs.pdf
    • https://cdn.shopify.com/s/files/1/0433/4993/4229/files/67532435245.pdf
    • https://cdn.shopify.com/s/files/1/0432/6080/5280/files/aphasie_de_broca.pdf
    • https://static.usrfiles.com/ugd/2074c9_3871859864c84b318064887ad9e1b521.pdf
    • https://static.usrfiles.com/ugd/b8c837_d4a6c7a69c2843b4933d898239a0068e.pdf
    • https://cdn.shopify.com/s/files/1/0436/9671/7977/files/university_of_edinburgh_undergraduate_application_form.pdf
    • https://cdn.shopify.com/s/files/1/0428/4062/1222/files/vivodip.pdf
    • https://cdn.shopify.com/s/files/1/0431/5345/7320/files/converting_decimals_to_percents_word_problems_worksheets.pdf
    • https://cdn.shopify.com/s/files/1/0439/6512/0670/files/35118445627.pdf
    • https://cdn.shopify.com/s/files/1/0427/4552/8487/files/21249752195.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000dea7.bin
942c5e0ff9347e51cb0dda894beef08656fcbc5bb770c40e8f7b17d4ea31d9fb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDEA7 32772 bytes
font_00_sfnt_off00009b18.bin
457a95d2d1619e609b977429d761152f7d5a3c0fe23271f2bb247fdca2d50445		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B18 4068 bytes
font_01_sfnt_off0000a8f6.bin
9290e5152937149c98698349ab92f9dc35373ca11ea9c4d15578f20f7945089f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8F6 18292 bytes
font_02_sfnt_off0000c507.bin
c5984f2e107dc20c70b145f9d1f6179f8e2072a9a3235096749114de20ede26f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC507 7484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.