Malicious PDF — malware analysis report

Static analysis result for SHA-256 65f22f86955abf96…

MALICIOUS

PDF

60.9 KB Created: 2020-08-31 00:26:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e9fc8cba541f58aed0e5bf134eafe257 SHA-1: 7d09da0d50a74d1918aeb4106ed49a7ae562b20f SHA-256: 65f22f86955abf96eec9728e43db6ebe4eccbdefe6457cf4b422c33af059210f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a significant number of embedded URLs, with one identified as a malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, suggesting an attempt to manipulate search engine results or distribute further malicious content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=put+on+trial+l%25C3%25A0+g%25C3%25AC
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://cdn.shopify.com/s/files/1/0433/1651/0873/files/audi_rs6_performance_for_sale.pdf
    • https://cdn.shopify.com/s/files/1/0428/9013/3663/files/91235705023.pdf
    • https://cdn.shopify.com/s/files/1/0432/8692/1382/files/c_function_templates.pdf
    • https://cdn.shopify.com/s/files/1/0438/5849/3600/files/xorapodexov.pdf
    • https://static.usrfiles.com/ugd/fef806_eafe4e7214a94ce8bbccca56928a0363.pdf
    • https://static.usrfiles.com/ugd/44b221_7210b9b2518c43d490e86d3f98280355.pdf
    • https://static.usrfiles.com/ugd/ec0c41_504200b2d96a4ef1810d8e4cf658cbd8.pdf
    • https://static.usrfiles.com/ugd/b8c837_c1c55af24b0a4521af701ff3025378bd.pdf
    • https://static.usrfiles.com/ugd/756799_da47f39ceb8d4b79919091f9756ef59e.pdf
    • https://static.usrfiles.com/ugd/4dd980_b0ca2ab02a9a477a802d125da28b1cab.pdf
    • https://static.usrfiles.com/ugd/b8c837_56d6eccbcf364d3fa09339cdd97afca6.pdf
    • https://cdn.shopify.com/s/files/1/0431/7354/4093/files/zepumini.pdf
    • https://cdn.shopify.com/s/files/1/0437/8312/7191/files/u_s_s_r_ka_full_form.pdf
    • https://cdn.shopify.com/s/files/1/0431/2809/4882/files/nazawafita.pdf
    • https://cdn.shopify.com/s/files/1/0438/0118/2369/files/rofusiligapobumubirumug.pdf
    • https://cdn.shopify.com/s/files/1/0435/2186/7930/files/business_process_management_deployment_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006457.bin
0e089adee229378ec33b7e7f4a2af7a86801400db7ecf7090e2599e8d57f4ff6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6457 6936 bytes
font_01_sfnt_off00007b76.bin
4227cf81794ed0a9965f6c41a3fbb57ac3ac1c0ab4122aa36a7e8478d2c6c4f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B76 4964 bytes
font_02_sfnt_off00008bc4.bin
cbd8585363a64ededc26081971b4626d3bac791a68e70bbfc99fb6c8b43f1787		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BC4 9952 bytes
font_03_sfnt_off0000a7c2.bin
d6dac4d037f1d01c43e782f47b675d5c002678817c5fb6e78888a1825d973928		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7C2 9788 bytes
font_04_sfnt_off0000c97b.bin
703998c19525e53bf5bf3ff0a111dea52deab0b8ff3bde88a06c8b9816473117		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC97B 17896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.