Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b83ed03fa1589c5…

MALICIOUS

PDF

128.5 KB Created: 2020-09-18 11:42:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7602c3b98adeed669d11c0b77623ef0 SHA-1: 6b9dd21a12eb9365debcfbcdfdbfc822ae3be951 SHA-256: 6b83ed03fa1589c58ff2d6cd9c8bb043dc94a47cbb0e25b0820734c4425722d2
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains multiple heuristics indicating malicious intent, including a critical finding for a redirector link and a link farm. The document body, though partially corrupted, suggests a lure related to tax worksheets, aligning with advance-fee scam patterns. The presence of numerous embedded links, including one to a known malicious redirector, strongly suggests an attempt to lead the user to a malicious site or download.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=maryland+personal+exemption+worksheet+2018
    • http://files.4u2customize.com/uploads/1/3/2/6/132682565/vezodudepuzefon.pdf
    • http://files.gaeunkim.com/uploads/1/3/1/4/131454986/pozori.pdf
    • http://files.actionlearning.nl/uploads/1/3/0/7/130775195/wekina.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/0401/0389/files/75197328136.pdf
    • https://cdn.shopify.com/s/files/1/0429/1874/0134/files/infant_daily_report_for_parents.pdf
    • https://cdn.shopify.com/s/files/1/0462/3790/9141/files/bejeweled_blitz_uptodown.pdf
    • https://cdn.shopify.com/s/files/1/0431/3425/5265/files/sinafenomutimabur.pdf
    • https://cdn.shopify.com/s/files/1/0462/3165/0453/files/78248700742.pdf
    • https://711d4ea9-70e2-49da-9931-e456288cbefc.filesusr.com/ugd/cc03df_fd45359708ae442d88dbd82a8496830a.pdf?index=true
    • https://145bbc06-67e4-436d-b51f-84cc00f42c43.filesusr.com/ugd/3bbd68_adec55269df140c9ae5781babaf5c62b.pdf?index=true
    • https://a2389e72-bb03-49fd-ad9f-582615a9ee00.filesusr.com/ugd/8d5d69_e791bf24ca4e40ac9961804245f67dc9.pdf?index=true
    • https://7859b01b-a3f8-4c3e-b289-31b14c6dc25d.filesusr.com/ugd/12745a_b7d747733a45485e9f02598f4d9b722b.pdf?index=true
    • https://a22a399b-575f-4a6f-99f7-53cc083c8f97.filesusr.com/ugd/078c79_8fd4b1e935f143dba5734e849a8b31e4.pdf?index=true
    • https://db7930f8-6962-4ee4-b8ae-ff4cbee9fdcb.filesusr.com/ugd/7d21c0_3ed78506907d4844b774597fc44c6884.pdf?index=true
    • https://aa35c5eb-8a4f-4fc1-a6f6-39657cd5936e.filesusr.com/ugd/b916f4_a1c0d4e8419e4c1caf8e18cbb831ce15.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001afb1.bin
d6f4f5dea3aef9dee15a2d2c13a3197010fc8462cff4c02ac3ea639635bc8ac9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AFB1 6052 bytes
font_01_sfnt_off0001c449.bin
ebf4595086f75f5af6e683f5bee5d77dc0b12cf4e7c20f52a9fd1010e5235903		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C449 15428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.