Malicious PDF — malware analysis report

Static analysis result for SHA-256 6009aea29f53cffd…

MALICIOUS

PDF

59.0 KB Created: 2020-08-30 08:12:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c9d570fca5383d1de4445ad6bf728327 SHA-1: 62484dcd8db982a05028d6074eb2572ad4e89a45 SHA-256: 6009aea29f53cffde3802d30083861092ccb3e18c7127fd7bd3f0b3787a0e797
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links that point to a known malicious redirector, suggesting an attempt to lead the user to malicious content. The document body, though heavily obfuscated, contains text related to psychological tests and URLs, reinforcing the lure. The ML classifier strongly indicated maliciousness, and the PDF structure itself was flagged for containing a large number of external links, likely for SEO manipulation or to obscure the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=test+psicologicos+gratis+para+descargar
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/26433336276.pdf
    • https://cdn.shopify.com/s/files/1/0433/0582/8520/files/bemutuzuritijolibi.pdf
    • https://cdn.shopify.com/s/files/1/0432/9363/8822/files/dwarf_fortress_workshop_layout.pdf
    • https://cdn.shopify.com/s/files/1/0432/1394/7041/files/duwugurofulaxoxa.pdf
    • https://cdn.shopify.com/s/files/1/0427/7154/6279/files/73525829708.pdf
    • https://static.usrfiles.com/ugd/299074_bd919c9c35a349acb8bdfc0f6459d13e.pdf
    • https://static.usrfiles.com/ugd/b8c837_1fd470b8877947c292e1a654f1a01b2e.pdf
    • https://static.usrfiles.com/ugd/a6e5e9_60bf69a2e1834e0f86afc4c8ae196f8d.pdf
    • https://static.usrfiles.com/ugd/b8c837_d6c97b325978480dbf153dd2a6de8c26.pdf
    • https://static.usrfiles.com/ugd/24853a_67e14ebfbfd144d584fb79e303385b29.pdf
    • https://static.usrfiles.com/ugd/b8c837_a5cd443c79724641a86ad40e51ef8375.pdf
    • https://static.usrfiles.com/ugd/b85eb0_110d0edf10064e408479821c5ec44119.pdf
    • https://static.usrfiles.com/ugd/b914b5_b298f9d93f6b41ebae554297d3c8253b.pdf
    • https://static.usrfiles.com/ugd/cd79e3_70418ddce52d4251bd0adc1d5055ca9b.pdf
    • https://static.usrfiles.com/ugd/c345b0_bb318e087596424b97fa6dd2fafcd383.pdf
    • https://static.usrfiles.com/ugd/b7ab08_8c9ac2df20174a098989287f71ece1e6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000640a.bin
109d45a5016f7f385c4baa0853760c06a3fb9fbc74b27980779661786aa980ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x640A 6868 bytes
font_01_sfnt_off00007564.bin
5040cc391b3bd8e9fd4d5141953567d9c73109164d2386076e1d4cdf643567e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7564 5192 bytes
font_02_sfnt_off0000870e.bin
b26f7a7ea8d4b2b1e3e6f2c7e37a94075db63327f5d53b11367ac297d39d3385		 pdf-font-stream PDF embedded font (sfnt) at offset 0x870E 6560 bytes
font_03_sfnt_off00009d3c.bin
17f52ab14e3353134f6d73cd063763326923ee9cdb15bb331f82d4b1afd19739		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D3C 12304 bytes
font_04_sfnt_off0000c493.bin
b12b27a8a8dcdfae14f82ddb741a70789a9c72a717f601e6a44f8b715b0f875c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC493 16880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.