Malicious PDF — malware analysis report

Static analysis result for SHA-256 6da0b5e0dd3b8060…

MALICIOUS

PDF

69.4 KB Created: 2020-08-09 20:38:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88a136bb3e1a589020b4b4c36bfe57f1 SHA-1: 801a1cadffc13d3ee555b6678fd18b16af827a6e SHA-256: 6da0b5e0dd3b80607cbac3ddf2d7e392e0043cacf4cfbc572721e38f7f6baf6e
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains numerous links to external resources, many of which are algorithmically generated and point to potentially malicious infrastructure. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' indicates that at least one URL is a known redirector, likely leading to a malicious site. The presence of many PDF links suggests a link farm or SEO poisoning tactic to drive traffic to malicious content. No scripts were extracted, but the document's structure and link farm behavior are indicative of a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=fundamental+theorem+of+finite+abelian+group+pdf
    • http://lefas.mrslorenzscience.com/uploads/1/3/0/8/130814297/9151929.pdf
    • http://xogogula.mathewscountyhistoricalsociety.org/uploads/1/3/0/7/130775934/nubebuxixuzevorusa.pdf
    • http://files.drstevenjadlow.com/uploads/1/3/1/4/131409037/3507337.pdf
    • http://files.treatsicecreamparlour.com/uploads/1/3/0/9/130969298/lelosajoxedamur.pdf
    • http://wosuzojed.werleaders.com/uploads/1/3/0/9/130969754/269617.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0434/1317/6469/files/44273303128.pdf
    • https://cdn.shopify.com/s/files/1/0427/8494/8380/files/90739598605.pdf
    • https://cdn.shopify.com/s/files/1/0439/3569/5016/files/zuzisojidodinivititatuxez.pdf
    • https://cdn.shopify.com/s/files/1/0429/6838/3641/files/27412301228.pdf
    • https://cdn.shopify.com/s/files/1/0431/0158/5570/files/16027650812.pdf
    • https://cdn.shopify.com/s/files/1/0437/9839/7085/files/duwibigawajiledux.pdf
    • https://cdn.shopify.com/s/files/1/0433/0225/6795/files/vrus_e_bactrias_resumo.pdf
    • https://cdn.shopify.com/s/files/1/0427/9956/2911/files/wowilemopulero.pdf
    • https://cdn.shopify.com/s/files/1/0428/6706/4998/files/ximosalusafivip.pdf
    • https://cdn.shopify.com/s/files/1/0435/9513/7187/files/twitch_emote_requirements.pdf
    • https://cdn.shopify.com/s/files/1/0431/9179/5875/files/reverse_an_integer_java.pdf
    • https://cdn.shopify.com/s/files/1/0429/9322/1783/files/1973080430.pdf
    • https://cdn.shopify.com/s/files/1/0430/4646/9793/files/gekibupali.pdf
    • https://cdn.shopify.com/s/files/1/0431/9019/0248/files/gemupigodakebera.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ad55.bin
f7f714e39f84bdbe819403adb427883d6bb3006bbaf3b2071c376d3308904c9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD55 5372 bytes
font_01_sfnt_off0000bf72.bin
99934f7324660c27bf93411bed91d7725660ea13b6fde324d740e4455a3a139d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF72 15836 bytes
font_02_sfnt_off0000f059.bin
b4e839058eeae4767b547920ab49f98e70f6a6ce4bac8f62e034451664868e1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF059 16884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.