Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f8f95f7de434533…

MALICIOUS

PDF

43.3 KB Created: 2020-09-19 01:31:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 015c52f4fa7747632d5e0821a6a3ba9b SHA-1: 8aeb35f76b0609e055021614011698a89044593d SHA-256: 6f8f95f7de43453318cb81644f1e9fa3789460c1cb9205dd1e34112900d2ec3c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, appears to reference shopping keywords like 'skechers black friday uk', suggesting a lure to trick users into clicking the malicious link. The presence of a large number of external links indicates a link farm, likely for SEO manipulation or to host further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=skechers+black+friday+uk
    • http://futuva.ninjateachers.org/uploads/1/3/1/4/131482995/xudeneb.pdf
    • http://kineg.principaldonacarney.com/uploads/1/3/1/6/131637136/sikedurexituzi-xadujej-medefezasu.pdf
    • http://sifowa.noellejkim.com/uploads/1/3/0/9/130969341/tofez.pdf
    • http://files.springstreetcwf.com/uploads/1/3/1/4/131454221/lesisemoladasu.pdf
    • http://files.geras.sk/uploads/1/3/1/6/131636697/zesugosapus-xulisutune-nomowekunok-jifolafepere.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8b8662cd-626e-4da8-991d-c7d0674b1cec.filesusr.com/ugd/7c41c1_738b8e0cab8d4cabacc8e275fd45c6fd.pdf?index=true
    • https://51b1cf4a-60ce-4d88-b028-68418f4a5249.filesusr.com/ugd/de3d83_8e1d737191a9484cadae39366b153031.pdf?index=true
    • https://b81a1190-804c-4c3d-8ace-316b68069672.filesusr.com/ugd/cf79db_884cad0a95414b3994d6a705b5e23d30.pdf?index=true
    • https://5b8fd038-0d5f-4a61-a067-144461ce1475.filesusr.com/ugd/c8d394_fb37ad3c89674c2583d526ddeae51dab.pdf?index=true
    • https://446bf203-00a7-4248-adc5-8927eff0d4a6.filesusr.com/ugd/18ee90_f45640baccdf4f898d3ebabfbe128931.pdf?index=true
    • https://a999e895-ab83-436d-846d-1c99d57e3038.filesusr.com/ugd/003b86_a3fab91aed084a98860a1514260a7f87.pdf?index=true
    • https://84135da1-63d6-405d-82a6-bba78b27705a.filesusr.com/ugd/cc03df_393bcdd4d296480e8896e9e1df5a123a.pdf?index=true
    • https://7a655f77-f545-43b8-98f8-41288f38b00f.filesusr.com/ugd/668a47_816da64903254392bcb44c18fac900f3.pdf?index=true
    • https://ace05af3-cbfa-4d0c-bb17-5aab29ff59e1.filesusr.com/ugd/f0b6b3_4880ba00c7394114bd534646d9803781.pdf?index=true
    • https://493bbef5-acbc-4b5f-b3db-9ea59a4acb59.filesusr.com/ugd/a2ebd8_5d65ec04d6c344b0b40858996cdd85c0.pdf?index=true
    • https://1a05bdf8-c642-4859-8b15-357cce3e6961.filesusr.com/ugd/03ef8e_c4e90ca77ca34dcd9ade46c8613ef95e.pdf?index=true
    • https://da8e6ef7-8b92-4e95-8301-63896fd74e4f.filesusr.com/ugd/01bc73_84b965eec6a447e5afe0999b27959b25.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e69.bin
1b60551129947c41587e7b9e24037b7dc748141bb4d7d4d82c85f23f9e5d91a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E69 5516 bytes
font_01_sfnt_off0000712a.bin
21ae0b1a07e3b6cd3828e27083d3a2e31af2c3efdbb4755f9fad8d6b921b11ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x712A 15236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.