Malicious PDF — malware analysis report

Static analysis result for SHA-256 617994b945cc9e02…

MALICIOUS

PDF

41.1 KB Created: 2020-08-11 04:56:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0fbd9f25b0d8cc717bb885af24128a05 SHA-1: 8a232cea142d837a08c537f4d089dcd808043607 SHA-256: 617994b945cc9e02a80003d36356b3ffa97f14c3fed4d065ae43cad8a3ce3d0e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, including one identified as a malicious redirector, which is likely intended to lead the user to a malicious site. The ML classifier strongly flagged this PDF as malicious, and the presence of a redirector URL supports the conclusion that this document is part of a phishing or redirection campaign. No scripts were extracted, but the embedded URLs are the primary indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=alkaloids+in+medicinal+plants+pdf
    • http://files.katherinegaulke.com/uploads/1/3/0/7/130776589/1369963.pdf
    • http://files.melissaavitale.com/uploads/1/3/2/6/132683017/puxedewowulad.pdf
    • http://tonijosu.emperatrice-maltese.co.uk/uploads/1/3/0/7/130776167/vonekafobusegita.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0437/2335/8358/files/63552804111.pdf
    • https://cdn.shopify.com/s/files/1/0428/8148/2919/files/44017624183.pdf
    • https://cdn.shopify.com/s/files/1/0437/8374/9781/files/xerijanifofufoboribawore.pdf
    • https://cdn.shopify.com/s/files/1/0440/6660/3158/files/kikamodanomakefigujijowa.pdf
    • https://cdn.shopify.com/s/files/1/0432/5857/7064/files/papebefidipuwagufejebab.pdf
    • https://cdn.shopify.com/s/files/1/0430/2058/3065/files/excel_proper_case.pdf
    • https://cdn.shopify.com/s/files/1/0439/2439/0056/files/rusegitamavafibedisadebo.pdf
    • https://cdn.shopify.com/s/files/1/0437/8758/3650/files/38082696116.pdf
    • https://cdn.shopify.com/s/files/1/0432/7669/7760/files/advanced_english_grammar_book_for_class_11_12.pdf
    • https://cdn.shopify.com/s/files/1/0433/4475/6901/files/92960692863.pdf
    • https://cdn.shopify.com/s/files/1/0430/3103/6053/files/how_to_improve_your_public_speaking_skills.pdf
    • https://cdn.shopify.com/s/files/1/0431/3127/3383/files/wixabupe.pdf
    • https://cdn.shopify.com/s/files/1/0431/3127/3383/files/10_day_forecast_orlando.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006388.bin
14a027289d520c4d5fc9d2f01c982b97afaa62592f4986ea7737e74c43e2d6ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6388 5256 bytes
font_01_sfnt_off0000755a.bin
dfda493119c613209018321eaf1b9744e1475296a1268ef6b8b18fe54e908455		 pdf-font-stream PDF embedded font (sfnt) at offset 0x755A 9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.