Malicious PDF — malware analysis report

Static analysis result for SHA-256 70729fccb3676cfe…

MALICIOUS

PDF

46.8 KB Created: 2020-09-01 04:00:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 668759f8fd8f9aa39a30a076741b05e2 SHA-1: 6f931b7b27abe8892e50f633387f08b2d1fc578f SHA-256: 70729fccb3676cfe700979c7e66e2b46b40a717098fdf2c761320205bbc43fee
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links that redirect to known malicious infrastructure, specifically a URL related to a movie download lure. The ML classifier strongly indicates maliciousness, and the presence of numerous external PDF links suggests a link farm or redirection scheme designed to obscure the final malicious destination. No scripts were extracted, but the primary attack vector appears to be social engineering via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=challengers+sinhala+movie+mp4
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/b8c837_1c9c9cb729df4c818de01045768e1714.pdf
    • https://static.usrfiles.com/ugd/b8c837_4ffec7ef8bf841e1aef717cf53b69edb.pdf
    • https://static.usrfiles.com/ugd/0047a4_70ffcb7ab2ca418d8e32704c684549ca.pdf
    • https://static.usrfiles.com/ugd/b8c837_277c348a815a48619c48467ffd817073.pdf
    • https://static.usrfiles.com/ugd/739437_c4ff862bd1374a37a3446b146924188d.pdf
    • https://static.usrfiles.com/ugd/510a18_98463653911a456eba358b314c159847.pdf
    • https://static.usrfiles.com/ugd/8b49c6_fa53e3eb630649e1ab3b976f151bcd70.pdf
    • https://cdn.shopify.com/s/files/1/0429/8519/3621/files/telugu_movies_2018_tamilrockers_watch_online.pdf
    • https://cdn.shopify.com/s/files/1/0465/3803/1254/files/pokese.pdf
    • https://cdn.shopify.com/s/files/1/0434/2562/8327/files/mepinurepikaxutibuber.pdf
    • https://static.usrfiles.com/ugd/b8c837_9977ce3c087b4c299ea0255220b1c1a2.pdf
    • https://static.usrfiles.com/ugd/05900a_66e4d32adbf242e8a8f28b8a59cebd3c.pdf
    • https://static.usrfiles.com/ugd/b8c837_7f9e051fc1024cb1a83a812d439373db.pdf
    • https://static.usrfiles.com/ugd/23e9be_04b33a19c324487ca9d58219a3683802.pdf
    • https://static.usrfiles.com/ugd/38bf1f_9dda90b571a849cb922a9db96b1403ac.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005155.bin
c254661a54e0d658afd715001c4693c4475e779f4931755ce4cc3b50bb937e47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5155 5964 bytes
font_01_sfnt_off000065d9.bin
162157d88ef961752b0a82a3f9e9405613cd247ee0187c4119eedfe2ae8dac4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65D9 5284 bytes
font_02_sfnt_off00007773.bin
9159d3f411f5c180d14857811fd2b7f2ffb8e09b36548f7152ef5ee2b8668682		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7773 5244 bytes
font_03_sfnt_off0000894d.bin
c11833ae3505f0c4929712053d27889465d2be0bbe4b1d3b2d7b7e94e6215a24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x894D 10468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.