Malicious PDF — malware analysis report

Static analysis result for SHA-256 70664a67356645ea…

MALICIOUS

PDF

80.7 KB Created: 2020-08-20 07:27:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a76317cab25e6ef561fde448df788ea SHA-1: 5555095926b2fe7faa2fdb41e992f9d0f10ab0d6 SHA-256: 70664a67356645ea179b733cc0bfb5f0ce5b3187fede38d9049dccfdc065101b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, suggesting a phishing or scam attempt. The heuristic 'PDF_SEO_LINK_FARM' indicates the PDF is part of a larger scheme to generate traffic through numerous external links. Although no scripts were explicitly extracted, the presence of embedded URLs and the malicious redirector strongly suggest an attempt to lead the user to malicious content, likely for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=vector+triple+product+solved+examples+pdf
    • http://tebode.goldenpointpartners.com/uploads/1/3/0/8/130814229/gulegutotofuwuja.pdf
    • http://files.generalhealthy.com/uploads/1/3/0/9/130969957/f9e0e8459f2df5f.pdf
    • http://kemidesi.sellmyhousefasthoustontx.net/uploads/1/3/1/4/131453540/12af2769501c93.pdf
    • http://files.manorhavenpta.com/uploads/1/3/1/4/131409442/1383973.pdf
    • http://logaxus.realhomecashbuyers.com/uploads/1/3/0/8/130813780/7979230.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/1741436775.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/66916333827.pdf
    • https://cdn.shopify.com/s/files/1/0430/4296/3613/files/blown_to_bits_abelson.pdf
    • https://cdn.shopify.com/s/files/1/0431/3343/6066/files/calculus_for_dummies_workbook.pdf
    • https://cdn.shopify.com/s/files/1/0431/7757/4562/files/bullet_journal_future_log.pdf
    • https://cdn.shopify.com/s/files/1/0431/1112/1063/files/cowboy_bebop_tank_opening.pdf
    • https://cdn.shopify.com/s/files/1/0432/7168/4252/files/65432164934.pdf
    • https://cdn.shopify.com/s/files/1/0435/5820/7651/files/40524126020.pdf
    • https://cdn.shopify.com/s/files/1/0437/8833/7313/files/vefonipagu.pdf
    • https://cdn.shopify.com/s/files/1/0433/6638/3768/files/81762222096.pdf
    • https://cdn.shopify.com/s/files/1/0433/1690/4104/files/xipazuwegav.pdf
    • https://cdn.shopify.com/s/files/1/0437/1700/1368/files/43240515098.pdf
    • https://cdn.shopify.com/s/files/1/0431/6640/0666/files/agarose_gel_electrophoresis_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bbb5.bin
948b3e2ea175bd28d2e4fa02d211d653fd0847c77f98ec96ab2afcaf088c8038		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBB5 5168 bytes
font_01_sfnt_off0000cd4d.bin
bf1804cbcf83f836578c5dbfda0438c9899b1b6a4352db3ffc2e86e67f94985b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD4D 2172 bytes
font_02_sfnt_off0000d6af.bin
4d0c9292aa543b176168a6d615ea664292002b87dc60e2de7e4c0665f49d8f75		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6AF 17212 bytes
font_03_sfnt_off00010cb3.bin
0297fa9fbb29498f873a749eb2b97bc6a7ce550e55a2d8654ddbd72c98ea6911		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CB3 16568 bytes
font_04_sfnt_off000123bf.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123BF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.