Malicious PDF — malware analysis report

Static analysis result for SHA-256 73c4d7565b2dcac3…

MALICIOUS

PDF

43.1 KB Created: 2020-08-10 16:22:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b53cec4cea116e72b05481debb33a21d SHA-1: 65b8895c8472dbebc9be302b24c06801b2ed536c SHA-256: 73c4d7565b2dcac3954b3b17a29f69d6df12dd6e80e5347ecf733bb898cf1834
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, including one to a known malicious redirector, suggesting a phishing or malware distribution attempt. The document body, though partially corrupted, includes the same lure text and URLs found in the heuristics, reinforcing the malicious intent. No scripts were extracted, but the presence of embedded URLs and the PDF_MALICIOUS_REDIRECTOR_LINK heuristic strongly indicate a malicious redirection to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=business+english+writing+advanced+masterclass+pdf
    • http://files.warrenswcd.com/uploads/1/3/0/8/130874347/5213841.pdf
    • http://tixak.bonedesigns.com/uploads/1/3/1/6/131606289/2347443.pdf
    • http://jokamas.smile-movement.com/uploads/1/3/1/4/131453541/b9371077.pdf
    • http://gelexewef.grandviewcresthoa.com/uploads/1/3/1/1/131164250/3582825.pdf
    • http://files.alleghenybuilders.com/uploads/1/3/0/7/130739369/a18ff19b1463.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0430/8064/6807/files/68491686112.pdf
    • https://cdn.shopify.com/s/files/1/0436/2820/0096/files/69310869741.pdf
    • https://cdn.shopify.com/s/files/1/0431/3455/0177/files/japojolilogekusow.pdf
    • https://cdn.shopify.com/s/files/1/0433/1310/2998/files/wenudiganoviwakavi.pdf
    • https://cdn.shopify.com/s/files/1/0428/0041/4883/files/numoben.pdf
    • https://cdn.shopify.com/s/files/1/0429/6769/5511/files/75635317494.pdf
    • https://cdn.shopify.com/s/files/1/0432/1126/0062/files/29841923014.pdf
    • https://cdn.shopify.com/s/files/1/0431/3631/9639/files/devaleparisekobelete.pdf
    • https://cdn.shopify.com/s/files/1/0437/0294/3909/files/46247402767.pdf
    • https://cdn.shopify.com/s/files/1/0427/9736/7452/files/15100631266.pdf
    • https://cdn.shopify.com/s/files/1/0433/5799/5160/files/vowepisenowaselarugipaga.pdf
    • https://cdn.shopify.com/s/files/1/0432/9557/2126/files/xifawofegemiruxeveber.pdf
    • https://cdn.shopify.com/s/files/1/0429/1140/0102/files/duzaseg.pdf
    • https://cdn.shopify.com/s/files/1/0429/4737/9356/files/ninedomuvifuvubokixaz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004db2.bin
b058d76f9746ddd90e05311e74843847b1e63546670ce6e931120fc4b32ad2e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DB2 5768 bytes
font_01_sfnt_off0000613b.bin
d6b89d6543561148acfe48c442fbc0aa6b88ecb0d3b91eb3cfcf4046212add66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x613B 9452 bytes
font_02_sfnt_off0000819e.bin
bcdb41c598d6bf23703bb1a941982c4245296c86604be9fe128e3971ac406bb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x819E 18500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.