Malicious PDF — malware analysis report

Static analysis result for SHA-256 649c72f176a98842…

MALICIOUS

PDF

49.0 KB Created: 2020-08-29 23:42:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e0a7effe51ac54f9a6d5808fb5e2a03a SHA-1: 615746fa455becb86003d02261743b6efd691731 SHA-256: 649c72f176a98842cb9c1c7951490c6af6c5d1549d7f254a1c0a102077512f79
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link that redirects to a malicious domain, likely as part of a phishing or scam campaign. The document body and embedded link text suggest a lure related to an internship report. While no scripts were directly extracted, the PDF structure and embedded links indicate malicious intent, potentially leveraging embedded JavaScript for redirection or further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=relier+un+rapport+de+stage
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static.usrfiles.com/ugd/b8c837_90c24482204c473f90c40cffbede2358.pdf
    • https://static.usrfiles.com/ugd/d01287_bf648d7b53b54cc28fcb728d4e2be617.pdf
    • https://static.usrfiles.com/ugd/b8c837_335e42b09e474ea6aae944e6a41eac6f.pdf
    • https://static.usrfiles.com/ugd/67f5f7_934b98c63a3f4c5e921f160d96367580.pdf
    • https://static.usrfiles.com/ugd/b8c837_357b1d639daf40a4a9ae5e99878a32ad.pdf
    • https://cdn.shopify.com/s/files/1/0432/7945/0272/files/what_is_spotify_connect.pdf
    • https://cdn.shopify.com/s/files/1/0431/9654/7230/files/bipisowupoxenikurapo.pdf
    • https://cdn.shopify.com/s/files/1/0437/4416/6037/files/72898950074.pdf
    • https://cdn.shopify.com/s/files/1/0431/2468/7014/files/wow_unholy_dk_talents.pdf
    • https://cdn.shopify.com/s/files/1/0434/2376/0536/files/421162425.pdf
    • https://cdn.shopify.com/s/files/1/0457/0683/8172/files/57003383199.pdf
    • https://cdn.shopify.com/s/files/1/0458/1693/8662/files/inteligencias_multiples_gardner_libro_gratis.pdf
    • https://cdn.shopify.com/s/files/1/0430/7727/1716/files/vugebijalusuvun.pdf
    • https://cdn.shopify.com/s/files/1/0431/3910/4917/files/vevusigud.pdf
    • https://static.usrfiles.com/ugd/cb5dea_3dd009ab445b4bcda0523385f92fd486.pdf
    • https://static.usrfiles.com/ugd/b8c837_3b3ea172b5c2452ca0f08364a1105733.pdf
    • https://static.usrfiles.com/ugd/b8c837_4f2323e87bf54026b0bbdf474025b9ae.pdf
    • https://static.usrfiles.com/ugd/b8c837_b47d83bc26854d53be8abf5ebdd4ab79.pdf
    • https://static.usrfiles.com/ugd/b8c837_5d850ccd029d4e1cb951f54a314fe7d0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000700f.bin
3c2252a80459977729426ed37bb62abb31047cefdfc0bf18bb93b83f0f295f78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x700F 5016 bytes
font_01_sfnt_off00008124.bin
95f809936ffe851beea5c686a6ba1e97072ab5e36bf0be8b2cec2a68d7979650		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8124 12088 bytes
font_02_sfnt_off0000a714.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA714 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.