Malicious PDF — malware analysis report

Static analysis result for SHA-256 6738355e683ccba9…

MALICIOUS

PDF

70.1 KB Created: 2020-08-11 19:45:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 14f9d0fa41a06a3643cf2aa3fd924f1a SHA-1: d50d4af83a1580fcab89f64868173338e402970f SHA-256: 6738355e683ccba91ce47a50d1110a0dd821be0254af74178b7224bd50abbedd
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic firing for a link to known malicious redirector infrastructure. The document body, though partially obfuscated, contains text suggesting it is a lure for a 'block letter format example pdf'. The presence of many external links, including those hosted on potentially compromised Shopify stores, indicates a link farm or SEO poisoning attempt to distribute malicious content. No scripts were extracted, but the primary attack vector appears to be social engineering via malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=block+letter+format+example+pdf
    • http://figesu.framingidentity.org/uploads/1/3/0/8/130814011/f1ce48f.pdf
    • http://rujadit.joannemooncelebrant.com/uploads/1/3/1/6/131636725/faed9b76.pdf
    • http://files.davidpaap.com/uploads/1/3/0/8/130873983/2892012.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0430/9568/7328/files/turiwa.pdf
    • https://cdn.shopify.com/s/files/1/0432/2630/0575/files/pazip.pdf
    • https://cdn.shopify.com/s/files/1/0429/9830/0823/files/nuxurelarexisesemoral.pdf
    • https://cdn.shopify.com/s/files/1/0432/3885/0728/files/mirowopanebexetode.pdf
    • https://cdn.shopify.com/s/files/1/0430/3981/7890/files/fufatonasuxapag.pdf
    • https://cdn.shopify.com/s/files/1/0430/4227/5485/files/pdf_akuntansi_perusahaan_dagang.pdf
    • https://cdn.shopify.com/s/files/1/0430/2651/4077/files/69329892815.pdf
    • https://cdn.shopify.com/s/files/1/0428/7509/3159/files/74255685726.pdf
    • https://cdn.shopify.com/s/files/1/0430/7940/1632/files/microsoft_office_for_mac_product_key.pdf
    • https://cdn.shopify.com/s/files/1/0437/5350/4917/files/crash_bandicoot_gba.pdf
    • https://cdn.shopify.com/s/files/1/0433/9941/3921/files/90630958739.pdf
    • https://cdn.shopify.com/s/files/1/0428/2790/7239/files/pamafomupomox.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bf30.bin
b7f317aa0f29cd34df008dc84d8f376d2685882a57a4a5cd0d86477d0adf885a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF30 2828 bytes
font_01_sfnt_off0000c92b.bin
3fc374cfaefc02805b15b2441e77e7ca9b39255e38e760b7af395e306eb18fac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC92B 4940 bytes
font_02_sfnt_off0000d9fb.bin
802e4a651a518845ba1d7851ae4a04932bb4bfcc306eafa058555faed49c3786		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9FB 10120 bytes
font_03_sfnt_off0000fc94.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC94 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.