Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a8ffb071670beeb…

MALICIOUS

PDF

100.6 KB Created: 2020-08-29 11:30:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0fafeed3cb17be90e080a39f9d1c6ce SHA-1: 6cdf3c20cf551ec985b3d5cd70b3f528cc7f3ad7 SHA-256: 6a8ffb071670beeb6751efb454d92d792ed056601d43b46f01f9418ff9dd0a90
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The file also exhibits characteristics of a link farm, with numerous external PDF links, suggesting an attempt to distribute malicious content or engage in SEO manipulation for malicious purposes. The presence of a 'download button' lure further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=stepmania+otaku%2527s+dream
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/2068/9306/files/sakarafefodunux.pdf
    • https://cdn.shopify.com/s/files/1/0458/2709/6739/files/moxufetolar.pdf
    • https://cdn.shopify.com/s/files/1/0459/0010/3834/files/javascript_check_if_string_is_date_format.pdf
    • https://cdn.shopify.com/s/files/1/0437/1454/3771/files/cahier_des_charges_informatique.pdf
    • https://cdn.shopify.com/s/files/1/0432/8675/7536/files/75305393955.pdf
    • https://cdn.shopify.com/s/files/1/0440/5251/2918/files/77856534756.pdf
    • https://cdn.shopify.com/s/files/1/0430/2992/1943/files/jolorifixumopixirabinipi.pdf
    • https://static.usrfiles.com/ugd/b8c837_c3cc08bbea914980af47646a1456721e.pdf
    • https://static.usrfiles.com/ugd/b8c837_e022dddd4185465698943bf8c13a8487.pdf
    • https://static.usrfiles.com/ugd/b8c837_30fd54937558457bb69c065553ce4808.pdf
    • https://static.usrfiles.com/ugd/b8c837_e1a2b99b75e348ca8fa1a0c5f35bb275.pdf
    • https://static.usrfiles.com/ugd/b8c837_c9f6869b972445329dbd2fbf0133938f.pdf
    • https://static.usrfiles.com/ugd/b8c837_3ef699fc2d4d42ba939b6968eb95f81e.pdf
    • https://static.usrfiles.com/ugd/b8c837_1334d9999e1d4ad9a5b3e24b57c48ae5.pdf
    • https://static.usrfiles.com/ugd/b8c837_be1bd70a8f0e42aeadec758b1412f293.pdf
    • https://static.usrfiles.com/ugd/b8c837_57f863d9bab34c468be7b9f1bb901095.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c5a5.bin
c570989a2a40a6e2a67fdc39df01ae9514fa3c94095590611c93d2bd96ec1c1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5A5 33180 bytes
font_01_sfnt_off00012bb2.bin
872114bc63b6163d020aeb39d661f85cd246efbf4e068b5395b8d25c57d14403		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BB2 5276 bytes
font_02_sfnt_off00013d82.bin
45161600c168cb86abea0d582939cff7e26865ccef696145a84b56b2745b4fe2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13D82 2052 bytes
font_03_sfnt_off00014637.bin
9a26c2e0e7852de48deb6fe0d936112a65b064f82f853f7e1113644701051948		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14637 11304 bytes
font_04_sfnt_off00016c61.bin
d981b483bf59e23c014f750e993120576f39eb5d7b2c53afd7a979a0ca1d5f21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16C61 17392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.