Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c9386e911b32d87…

MALICIOUS

PDF

61.2 KB Created: 2020-08-10 15:45:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 504318d6696220023fe07aa31f0e7787 SHA-1: 1002e7ed9ec5c6e1fd394bf77e04ec7621f23afb SHA-256: 6c9386e911b32d876a3d64cf429f26224413a1dcc4f4e9dad3137f3e18777a8a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, with one identified as a malicious redirector pointing to a lure for "employment news". The ML classifier strongly flagged this PDF as malicious, and the presence of embedded URLs indicates an attempt to direct the user to external, potentially harmful content. The document body itself is heavily obfuscated but contains the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=employment+news+pdf+2020
    • http://zinexabeg.frogspecialties.com/uploads/1/3/2/6/132680813/2577614.pdf
    • http://files.skincancerstreatment.com/uploads/1/3/1/8/131856317/powegupejezoxu_paxon_pidijanuwufu.pdf
    • http://files.villagegallerync.com/uploads/1/3/2/6/132695575/34f3c70c16.pdf
    • http://files.oilfieldfrclothing.com/uploads/1/3/0/7/130776374/zategitupub_rukewa.pdf
    • http://files.calwhales.org/uploads/1/3/0/8/130814205/xipurusofofiw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://cdn.shopify.com/s/files/1/0434/2677/5196/files/50361205475.pdf
    • https://cdn.shopify.com/s/files/1/0435/8150/5695/files/avon_bottles_price_list.pdf
    • https://cdn.shopify.com/s/files/1/0433/7513/2821/files/gudes.pdf
    • https://cdn.shopify.com/s/files/1/0437/9131/9201/files/lexical_cohesion_analysis_of_political_speech.pdf
    • https://cdn.shopify.com/s/files/1/0433/8037/5715/files/nixotigizam.pdf
    • https://cdn.shopify.com/s/files/1/0444/3671/7735/files/air_pollution_project_in_marathi.pdf
    • https://cdn.shopify.com/s/files/1/0430/7383/1072/files/tularoxakiketa.pdf
    • https://cdn.shopify.com/s/files/1/0429/8709/4177/files/39105495796.pdf
    • https://cdn.shopify.com/s/files/1/0437/3420/4568/files/19572859557.pdf
    • https://cdn.shopify.com/s/files/1/0432/5831/4912/files/nuwutige.pdf
    • https://cdn.shopify.com/s/files/1/0429/4151/3894/files/remezavediwukojipidujiwi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000718b.bin
8f9d2d56d047db3fb86e0ff7d80040b2ab353e0db429df5d875a56a72665bfc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x718B 5308 bytes
font_01_sfnt_off000083a8.bin
d0c9e33916e9e64e42e31bcf0d345f6c2fcd41735b1a34df0119bd0eb1094281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83A8 3720 bytes
font_02_sfnt_off00008f0c.bin
dcc75f11a7149d9580c8e014b97edd76acc59c1a5fa6f8531e2672528b06f9c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F0C 10012 bytes
font_03_sfnt_off0000b197.bin
39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB197 16092 bytes
font_04_sfnt_off0000c69b.bin
b67449df26048a1967f1deeb8e1fdc000828dd579572e8fc028bde795295fabb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC69B 10212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.