Malicious PDF — malware analysis report

Static analysis result for SHA-256 6adf7264cd632531…

MALICIOUS

PDF

70.2 KB Created: 2020-08-30 18:57:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78c5b6b999c446d998abaaa859e3e21d SHA-1: d0b95ed89a395c0cd05fba7eda0cc3c82af88231 SHA-256: 6adf7264cd632531fbfc7229a21e6678fd3d985c238ba92b8c2a9840685b7a37
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, with one identified as a malicious redirector. The ML classifier also flagged this PDF with high confidence. The primary attack pattern involves redirecting users to external sites, likely for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=%25D9%2586%25D8%25B8%25D8%25B1%25D9%258A%25D8%25A9+%25D8%25AC%25D9%258A%25D9%2585%25D8%25B3+%25D9%2587%25D9%2588%25D8%25AA%25D9%2588%25D9%2586
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/6240/2965/files/cannot_search_a_document.pdf
    • https://cdn.shopify.com/s/files/1/0433/1631/4277/files/bastar_university_time_table_2020.pdf
    • https://cdn.shopify.com/s/files/1/0433/8375/0821/files/cctv_camera_installation_guide_in_urdu.pdf
    • https://cdn.shopify.com/s/files/1/0430/7727/1716/files/60652464010.pdf
    • https://cdn.shopify.com/s/files/1/0437/5265/2951/files/wawamakezatojapiroz.pdf
    • https://cdn.shopify.com/s/files/1/0463/3110/1346/files/bcp_and_drp_templates.pdf
    • https://cdn.shopify.com/s/files/1/0437/9131/9200/files/senuxenimedamewizawotafuv.pdf
    • https://cdn.shopify.com/s/files/1/0429/1425/0905/files/charles_baudelaire_les_fleurs_du_mal.pdf
    • https://cdn.shopify.com/s/files/1/0438/5888/6806/files/61008054996.pdf
    • https://cdn.shopify.com/s/files/1/0434/6616/2341/files/j_dilla_donuts_zip.pdf
    • https://cdn.shopify.com/s/files/1/0428/8610/3207/files/celebrate_recovery_step_study_guide.pdf
    • https://static.usrfiles.com/ugd/3f4b99_d6544211026a45f09909ffd4de209b8a.pdf
    • https://static.usrfiles.com/ugd/a107db_5d8b7e097b6e4563b756abfc38ec0349.pdf
    • https://static.usrfiles.com/ugd/b8c837_a6671860f1c5474090ecf45617181fe6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0000d0fe.bin
9b7a169563cdeb42e107982f86e53f08517dde769cd38d2ca6391dc358251b3d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD0FE 32252 bytes
font_00_sfnt_off0000898f.bin
457a95d2d1619e609b977429d761152f7d5a3c0fe23271f2bb247fdca2d50445		 pdf-font-stream PDF embedded font (sfnt) at offset 0x898F 4068 bytes
font_01_sfnt_off0000976d.bin
50d127a5eafad30832122073177aa1482454ab0a7dc9f91db97f8c98c69ab754		 pdf-font-stream PDF embedded font (sfnt) at offset 0x976D 17820 bytes
font_02_sfnt_off0000b2aa.bin
7ef1b81767e31aa8b0c1ffa3ea7a114adc26b339ddbc7e608b3306b696c595bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB2AA 8780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.