Malicious PDF — malware analysis report

Static analysis result for SHA-256 61a465336d5de9c7…

MALICIOUS

PDF

49.6 KB Created: 2020-08-28 12:12:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52cab60dd8bdbf3204bc08d0868d7e02 SHA-1: 66b7fbd1bd4a4eb48957d7487804f77c4f4e0b74 SHA-256: 61a465336d5de9c7813e044115b54999dc20c919ac45c1a41825ef871f6dbfb8
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a redirector, which is a common tactic for distributing malicious payloads. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting an attempt to game search engines or distribute content widely. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document is designed to trick users into downloading an archive, likely containing malware, by providing password instructions. No scripts were extracted, but the presence of embedded URLs and the link farm strongly suggest a malicious intent to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=pokemon+y+3ds+executable+download
    • http://moleto.noahzion.com/uploads/1/3/1/4/131438044/5897994.pdf
    • http://zavulelop.mngophercockshutt.com/uploads/1/3/2/6/132681352/pigizasifo_novimesuxusoj_mazigusisegezos_xibexewijaso.pdf
    • http://rafefawet.yeeg.co.uk/uploads/1/3/0/7/130776445/16c0b3bb6e48.pdf
    • http://tixijoka.dianakurin.com/uploads/1/3/0/7/130738697/9717000.pdf
    • http://files.lochgoin.com/uploads/1/3/1/6/131607239/gutexal.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/5702/9019/files/lebigejulaz.pdf
    • https://cdn.shopify.com/s/files/1/0434/4135/6950/files/bahane_aisi_hoti_hain_song.pdf
    • https://cdn.shopify.com/s/files/1/0432/5045/0600/files/xovadijujuz.pdf
    • https://cdn.shopify.com/s/files/1/0437/7565/6094/files/86421726312.pdf
    • https://cdn.shopify.com/s/files/1/0431/5748/7778/files/64874825448.pdf
    • https://cdn.shopify.com/s/files/1/0463/3539/3953/files/92334806628.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/37394074323.pdf
    • https://cdn.shopify.com/s/files/1/0430/9244/3303/files/zofijonamanisawagu.pdf
    • https://cdn.shopify.com/s/files/1/0432/7496/1059/files/woxoronozibagobiked.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074da.bin
4e96db1382d86c6187ce276466f315dedb3792a1f299b1b8ec8528008205c032		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74DA 3840 bytes
font_01_sfnt_off00008284.bin
11527fb18782debd909f6bb38074a0b4037c77167d23e03d411ac3918914a883		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8284 5620 bytes
font_02_sfnt_off000095ab.bin
1bf2fe12d4326c336c834d97e5323bc8031e12f2e9804a1fd94a8f4f4f82b6a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95AB 10220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.