Malicious PDF — malware analysis report

Static analysis result for SHA-256 6efbadfed3b579f9…

MALICIOUS

PDF

56.7 KB Created: 2020-08-31 19:01:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2cdac21c9beb7a56b5c6997259df646e SHA-1: 53342e1269b98c668d616c7de234666b5cdc9377 SHA-256: 6efbadfed3b579f99d3f04e141f530b2298a078728125a6073dab1c16e0c25e5
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a link to a known malicious redirector, which is a common tactic for phishing and malware delivery. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' suggests the document may also attempt to trick users into executing commands. The ML classifier strongly indicates maliciousness, and the presence of embedded links points towards an attempt to direct users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=ableton+live++crackeado+portugues
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/0e2875_4e7d7588263e4fabbad4717c500a498c.pdf
    • https://static.usrfiles.com/ugd/934fc3_361a93e75d5347b384a89de9f50212fe.pdf
    • https://static.usrfiles.com/ugd/b88e3d_b0102b3bb544447cab63c046882ab147.pdf
    • https://static.usrfiles.com/ugd/b8c837_10c165ccca2648dea3ce9a573b0be4fb.pdf
    • https://static.usrfiles.com/ugd/963627_628ff5430be44bf7b3b893da90e13926.pdf
    • https://cdn.shopify.com/s/files/1/0431/5512/8480/files/43454535682.pdf
    • https://cdn.shopify.com/s/files/1/0435/4162/7029/files/cheshire_east_planning_committee_reports.pdf
    • https://cdn.shopify.com/s/files/1/0436/8020/2905/files/xuxalabax.pdf
    • https://cdn.shopify.com/s/files/1/0431/3595/9202/files/46856967970.pdf
    • https://cdn.shopify.com/s/files/1/0434/7500/9686/files/cardinal_newman_school_hove_uniform.pdf
    • https://cdn.shopify.com/s/files/1/0434/7058/6022/files/atom_smashing_power_of_mind.pdf
    • https://cdn.shopify.com/s/files/1/0429/5032/8486/files/plasma_atomization.pdf
    • https://cdn.shopify.com/s/files/1/0432/6237/8152/files/nakokakofazesanom.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008027.bin
a376423319cb90e7b2b88966a0d7b02563d2d8c96cd5c07c01675af9d26cef06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8027 5492 bytes
font_01_sfnt_off000092de.bin
13678a14b930e6d42e11b2ac41b13981c2c7f5938cc30cfb194ad51886f1f1dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92DE 2092 bytes
font_02_sfnt_off00009c83.bin
27b5d7e3b418496255a0c921a396b72c244945aba1cdc863a73a2baf6f393ece		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C83 10304 bytes
font_03_sfnt_off0000c005.bin
057c53d13f705c0d6c8d72b3ab36bb32bec19286abea56c3b048a44f6f798fac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC005 16128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.