Malicious PDF — malware analysis report

Static analysis result for SHA-256 60c6f041a2b3383f…

MALICIOUS

PDF

40.6 KB Created: 2020-08-23 21:16:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4074421ab0520fb89316ec949384b902 SHA-1: 38c2e5658922423a537c540f051e4a6ba03c189d SHA-256: 60c6f041a2b3383fb69dc1116eff069eace023b7e68af3ede251453b9fbda558
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to link farms and a known malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the redirector found in the heuristics. This suggests the primary goal is to redirect users to malicious infrastructure, likely for further exploitation or phishing. No scripts were extracted, but the PDF structure itself facilitates the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=ambedkar+dj+songs++mp4
    • http://files.jakekalender.com/uploads/1/3/1/4/131406506/sijijifub-labikaris-xobajixurise-bonewepidel.pdf
    • http://zapil.tatenewfield.com/uploads/1/3/1/4/131407406/xunaliv-wizeripomupiz-rulaw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/52665001447.pdf
    • https://cdn.shopify.com/s/files/1/0432/3636/0351/files/29597011792.pdf
    • https://cdn.shopify.com/s/files/1/0431/7963/8942/files/20782989272.pdf
    • https://cdn.shopify.com/s/files/1/0440/5483/9461/files/oral_candidiasis_adalah.pdf
    • https://cdn.shopify.com/s/files/1/0431/7079/1573/files/vixopudunizakegijalalab.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/36283751979.pdf
    • https://cdn.shopify.com/s/files/1/0431/7957/3414/files/applications_of_mathematics_in_economics.pdf
    • https://cdn.shopify.com/s/files/1/0428/8688/9625/files/88627561065.pdf
    • https://cdn.shopify.com/s/files/1/0431/3006/0955/files/31448648040.pdf
    • https://cdn.shopify.com/s/files/1/0439/2416/0667/files/2358400169.pdf
    • https://cdn.shopify.com/s/files/1/0427/4978/8327/files/sundered_skies.pdf
    • https://cdn.shopify.com/s/files/1/0430/8716/7637/files/22486182924.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049dd.bin
6c1f4004dcdcf66876737579a7234ca2d4ad73641e2fb350564d39455525a57d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49DD 5604 bytes
font_01_sfnt_off00005cdc.bin
1fcb79a69b08beb72221fe1efde5695460baabe79ce72b1cfa3afe0cc5f8fd46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CDC 9816 bytes
font_02_sfnt_off00007ec0.bin
b5705dc0b37bdfddb7654ebb543ae02c871202e6d628ea56d0290bca7c9995c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EC0 6532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.