Malicious PDF — malware analysis report

Static analysis result for SHA-256 6dff7f90d119ce05…

MALICIOUS

PDF

54.1 KB Created: 2020-08-31 08:27:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c907e2820dfd6657f7c2566db021f406 SHA-1: d3ef2859db1b82984508f2856563f1944bfb221f SHA-256: 6dff7f90d119ce054fa8084c09c7b7df1e43cbabc8c2e522fe0db10092fe6461
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a prominent link that redirects to a malicious domain, disguised as a movie download. This is further supported by heuristics indicating a malicious redirector and a link farm designed for SEO manipulation. Although no scripts were extracted, the presence of embedded URLs and the document body content strongly suggest a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=chaal+jeevi+laiye+gujarati+movie++link
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/rinavupomun.pdf
    • https://cdn.shopify.com/s/files/1/0440/3717/7494/files/academy_awards_2020.pdf
    • https://cdn.shopify.com/s/files/1/0429/6949/7753/files/38791740591.pdf
    • https://cdn.shopify.com/s/files/1/0433/4141/4552/files/dapitefexowewomonika.pdf
    • https://cdn.shopify.com/s/files/1/0434/0659/0104/files/lipig.pdf
    • https://cdn.shopify.com/s/files/1/0459/2258/2679/files/chrono_trigger_rom_snes_espaol_android.pdf
    • https://cdn.shopify.com/s/files/1/0432/4560/0936/files/pathophysiology_of_lymphatic_filariasis.pdf
    • https://cdn.shopify.com/s/files/1/0428/8849/5270/files/vernier_caliper_reading_formula.pdf
    • https://cdn.shopify.com/s/files/1/0433/7264/2454/files/performance_evaluation_of_bridgeless_pfc_boost_rectifiers.pdf
    • https://cdn.shopify.com/s/files/1/0434/7772/9432/files/majisififode.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/53151925343.pdf
    • https://cdn.shopify.com/s/files/1/0438/4456/7197/files/70113844368.pdf
    • https://cdn.shopify.com/s/files/1/0436/0319/8114/files/bearing_uses.pdf
    • https://cdn.shopify.com/s/files/1/0433/5337/4874/files/cholangitis_guidelines_asge.pdf
    • https://cdn.shopify.com/s/files/1/0427/3196/2535/files/79756947096.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a18.bin
ca853c5a932e00484aa44d4e49ac705709508d7ff1f63eec37c6b522eb4925b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A18 6440 bytes
font_01_sfnt_off00006a0b.bin
acae7e1d9c20ad45daa36a99d6cf77236ae19ff7c21c0d685da5398d0df7102b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A0B 5128 bytes
font_02_sfnt_off00007b6b.bin
749a296b2812bdbb7d386e829840c4e37dc37cf984b464b3b7622785c52296c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B6B 10860 bytes
font_03_sfnt_off000097c3.bin
59f9617a699f6dd6ceea2973f54bc42334058390b029a5b66a64f77ba81ca417		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97C3 10892 bytes
font_04_sfnt_off0000bc85.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC85 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.