Malicious PDF — malware analysis report

Static analysis result for SHA-256 74b1526887c11275…

MALICIOUS

PDF

42.4 KB Created: 2020-09-21 05:04:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96b1786a0a797edcb9197eec376e6c59 SHA-1: ae42048a36efc34da94460a22ccb88dd4104ef72 SHA-256: 74b1526887c1127565ea09ecbe0bf01baa6582af6f6eb7f166ad52db4446f2f5
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a significant number of embedded links, with one identified as a malicious redirector. The primary purpose appears to be SEO manipulation or traffic generation through a link farm, as indicated by the 'PDF_SEO_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristics. The presence of a malicious redirector URL suggests a potential for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=historical+context+in+woods+runner%2527s+life
    • http://files.traceypartridgeart.com/uploads/1/3/0/7/130775679/43e12a3158f03.pdf
    • http://kedodol.bairdvisuals.com/uploads/1/3/0/7/130738721/1509599.pdf
    • http://files.tamesmusic.com/uploads/1/3/1/4/131408142/gowawixaluto.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e8fb3053-c5e1-4bb1-8cfb-3e3bd0b3b606.filesusr.com/ugd/cbdbb6_17782e83a5d341bcb99f9b02772c1f6f.pdf?index=true
    • https://7206a645-3a3e-45e9-a2b1-2b8fbd0ca64f.filesusr.com/ugd/4aae87_4ed554a58c7040bda18d7a4a9441f690.pdf?index=true
    • https://53da88f0-6564-4215-a8e2-14db552fd063.filesusr.com/ugd/1cc777_ba8fe1014e404282854d527d15fed6c0.pdf?index=true
    • https://67f8f22e-7528-4b95-887f-25214d1e551c.filesusr.com/ugd/61804c_7f966bd2e3be458cb400adeff4dd1d2b.pdf?index=true
    • https://d85ac140-5ab3-4a33-9acd-3e051cf45539.filesusr.com/ugd/0dcf4b_d9ae2412dbd744a5a4bbca2919cf5f13.pdf?index=true
    • https://6b6bddce-9401-43ae-8c7b-702956cf29b7.filesusr.com/ugd/e4a001_52b0a9f01cb54aafa718157a010127bd.pdf?index=true
    • https://0352c3df-e710-4213-90eb-7de2ade09cf4.filesusr.com/ugd/9d7ad9_981e94ebe4bf44bab2899e9adc91b95a.pdf?index=true
    • https://aa291d44-075f-4c6c-8fdf-f383e632b344.filesusr.com/ugd/66f3f9_18994180afcc4aa3a5ef207490dc20fe.pdf?index=true
    • https://5d30ce65-e47e-47fe-8abb-72bd79daf0f2.filesusr.com/ugd/29c71c_0986372f938a408786a99012108ad39f.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0436/4071/7472/files/jorinugujomemo.pdf
    • https://cdn.shopify.com/s/files/1/0434/3375/4773/files/fisherman_s_blues_sheet_music_violin.pdf
    • https://cdn.shopify.com/s/files/1/0437/3318/8759/files/anaesthesia_and_intensive_care_medicine.pdf
    • https://cdn.shopify.com/s/files/1/0431/8652/0224/files/kasezizepipox.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006869.bin
43f2b5ea6445f6cf263a4c2b508cba897a22c305eedf8f2daceece59069f1be9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6869 5172 bytes
font_01_sfnt_off00007a2a.bin
44633bb299573fcdaf3cb0ee0fc0c2e1e15e19d3ff0a74e215cd2d826e703f26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A2A 10116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.