Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d1f64c47933d720…

MALICIOUS

PDF

43.2 KB Created: 2020-09-13 09:12:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00bf8a2cd5463bd8f4a57d28c0c07d56 SHA-1: 33f0ad5ed200797c176e9562e79f615f0fad8099 SHA-256: 6d1f64c47933d7201e4ac1722b3147eb85305e8d90134000ca5441c0ce81e921
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URLs, with one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and the presence of a link farm suggest an attempt to direct users to malicious content, potentially for phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and embedded links are indicative of a malicious document designed to exploit user interaction.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wb?keyword=paper.io%203%20unblocked%20google%20sites
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/bf650e_da222a09a1bd4be2984bc3d6622a9d11.pdf
    • https://static.usrfiles.com/ugd/ac72e0_2e3f4e1f905c489aa70bd5d65774a1b8.pdf
    • https://static.usrfiles.com/ugd/9ef0c3_f491fbf7dd83494a8853274ce1217d37.pdf
    • https://static.usrfiles.com/ugd/cd79e3_68d0dfb8a70a442eb679b3b45916bf59.pdf
    • https://static.usrfiles.com/ugd/b42fd6_a6632ed9bbe5422c9e93a3243763b568.pdf
    • https://static.usrfiles.com/ugd/f09a9d_27ffe9de537448f6a4cef6e3d4a907f3.pdf
    • https://cdn.shopify.com/s/files/1/0461/8964/1891/files/vopazevam.pdf
    • https://cdn.shopify.com/s/files/1/0427/5997/9174/files/36913331251.pdf
    • https://cdn.shopify.com/s/files/1/0429/9912/0033/files/explain_characteristics_of_computer.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000698c.bin
d9c4f56ca54d8dad24aa272e4af145cf36cd4cac206584de968ac74d81e53ee2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x698C 5644 bytes
font_01_sfnt_off00007cc8.bin
2e97b89f924d7785b58692bf355bc5be979560210562fd6c7d058826295b7143		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CC8 10388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.