Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e80400a0e5e9d93…

MALICIOUS

PDF

42.4 KB Created: 2020-08-08 12:40:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6c8ab7169be7bf122c5192ee17ba18e SHA-1: 58dfffff6b7712309db9d894a45660840ce96d63 SHA-256: 6e80400a0e5e9d931fc84ecd578ca10b6356714c8c73c1a1580c24d2ce1cfd84
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, with one identified as a known malicious redirector. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains URLs similar to those found in the extracted URL list, suggesting a coordinated effort to drive traffic to potentially harmful sites. The primary attack pattern involves luring users to click on these links, which likely leads to further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=belkin+n300+pdf
    • http://files.careercoachradio.com/uploads/1/3/1/3/131379343/9b4ed1907cf98.pdf
    • http://jukenoj.manadeesboutique.com/uploads/1/3/0/7/130776791/wegew.pdf
    • http://files.dreamility.com/uploads/1/3/1/4/131406811/zigosaremiv.pdf
    • http://tegaxof.reidsservice.com/uploads/1/3/1/3/131383373/gagoles.pdf
    • http://files.alexmerrin.com/uploads/1/3/1/4/131453136/kagezevi-bekugokomi-nokujejedoloxaf-jevunamiv.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0430/6108/4322/files/familia_cannabaceae.pdf
    • https://cdn.shopify.com/s/files/1/0440/3570/2949/files/zuvokojedejamijek.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/lonuxifipepi.pdf
    • https://cdn.shopify.com/s/files/1/0440/6870/0310/files/retirement_planning_worksheet.pdf
    • https://cdn.shopify.com/s/files/1/0433/7103/6822/files/siroserabifamirofos.pdf
    • https://cdn.shopify.com/s/files/1/0429/7857/4490/files/88045187428.pdf
    • https://cdn.shopify.com/s/files/1/0433/5609/4615/files/dexexur.pdf
    • https://cdn.shopify.com/s/files/1/0433/7837/6853/files/32296312365.pdf
    • https://cdn.shopify.com/s/files/1/0428/1879/7724/files/public_private_partnership_philippines.pdf
    • https://cdn.shopify.com/s/files/1/0430/3260/8921/files/54289338038.pdf
    • https://cdn.shopify.com/s/files/1/0435/7357/5841/files/41444226875.pdf
    • https://cdn.shopify.com/s/files/1/0432/1977/9742/files/fazupekelamevumavavodon.pdf
    • https://cdn.shopify.com/s/files/1/0434/2611/9831/files/vogotipomavujesuw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000679e.bin
e1c1a07fed09e7e814eeef69a145ef3e10d2f1632c1ab6be18f5a421bfc49b46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x679E 4968 bytes
font_01_sfnt_off000078af.bin
2eea3813cbd853efb532361e4b1fd8677dbb77e05a7066f97ee731dd73c5e07d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78AF 10668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.