Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d6d96cd69f830c0…

MALICIOUS

PDF

59.7 KB Created: 2020-10-25 17:19:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d946c4ee4830520544849823a2eae80 SHA-1: 5db5f930fa140559babad352b33f86bc55fdb1d6 SHA-256: 6d6d96cd69f830c0c566d4e121ede8c3af9250f6bc71203e314ddff3d6b60723
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing for a malicious redirector link, which is also present in the document body. The document also requests sensitive recovery information, indicating a phishing or social engineering attempt. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the lure suggest an attempt to redirect the user to a malicious site, likely for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/123?keyword=cordova+android+version+6.3
    • https://cdn-cms.f-static.net/uploads/4369499/normal_5f8dbeab90ea5.pdf
    • https://cdn-cms.f-static.net/uploads/4366009/normal_5f87bf2c3b98e.pdf
    • https://cdn-cms.f-static.net/uploads/4368489/normal_5f8df4913c8d9.pdf
    • https://kokexofagisukop.weebly.com/uploads/1/3/2/7/132710589/dojab_dubinojodofe_nuwafofewugadug_faxodu.pdf
    • https://tevirilozarenov.weebly.com/uploads/1/3/2/6/132695732/1342199.pdf
    • https://rixokofumi.weebly.com/uploads/1/3/1/3/131380985/kanizol.pdf
    • https://posolefuriw.weebly.com/uploads/1/3/4/3/134374222/2266121.pdf
    • https://fulipevaxavu.weebly.com/uploads/1/3/2/6/132695351/575d6950ce6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vinivuxo/56650796491.pdf
    • https://s3.amazonaws.com/mubemutolewe/lorazepam_davis_drug_guide.pdf
    • https://s3.amazonaws.com/zetare/pezelifoba.pdf
    • https://s3.amazonaws.com/wilugugo/49737091887.pdf
    • https://s3.amazonaws.com/zuxadol/hdfc_bank_ltd_rtgs_form.pdf
    • https://uploads.strikinglycdn.com/files/509961b8-ff2a-40c4-aeee-3672e5dca8ea/vixopume.pdf
    • https://uploads.strikinglycdn.com/files/e86bc4b1-c18e-496a-b89e-b87e3555d1ef/rimofaw.pdf
    • https://uploads.strikinglycdn.com/files/cc3e36c0-df74-47f9-a8ee-e253122453f9/gentle_art_of_verbal_self-defense.pdf
    • https://uploads.strikinglycdn.com/files/13447439-fb29-4809-b03e-9a1cf6d3812e/52827511194.pdf
    • https://cdn.shopify.com/s/files/1/0502/2305/5010/files/android_room_database_date.pdf
    • https://cdn.shopify.com/s/files/1/0432/7515/7670/files/39961161562.pdf
    • https://cdn.shopify.com/s/files/1/0439/3297/5272/files/does_ross_give_drug_test.pdf
    • https://cdn.shopify.com/s/files/1/0476/7481/8726/files/pokemon_counter_attack_game_for_android.pdf
    • https://cdn.shopify.com/s/files/1/0266/7737/9249/files/wokorivuxezegivapokakit.pdf
    • https://cdn.shopify.com/s/files/1/0484/9929/4363/files/39799165955.pdf
    • https://cdn.shopify.com/s/files/1/0437/0061/7381/files/wood_county_child_support_number.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a729.bin
0e5379a44420541f15535c96d3b8852b7f3584a879b220a44e1518c190440714		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA729 5100 bytes
font_01_sfnt_off0000b89b.bin
60e2446b4b8ff485bf25d078fa7117d5e92456106edf255fdb29f6cdba4029a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB89B 12252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.