Malicious PDF — malware analysis report

Static analysis result for SHA-256 761e4deafe02b558…

MALICIOUS

PDF

37.8 KB Created: 2020-08-13 23:24:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e1419362550561df5e75939893046e0 SHA-1: e390f36505853096e5bd329f170bcc9691aa2470 SHA-256: 761e4deafe02b558cc5e050a58293ed1f8e2fcdbd237a69325325508295dfb9f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains a large number of embedded links, many of which point to external resources, a technique often used in SEO link farms. One of the primary links, 'https://ttraff.com/pify?keyword=esame+celi+5+pdf', is identified as a known malicious redirector. The document body contains garbled text along with the malicious URL, suggesting an attempt to obscure its true nature. The presence of a malicious redirector and the link farm structure strongly indicate a malicious intent, likely to lead users to harmful content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=esame+celi+5+pdf
    • http://files.valley-oak-nursery.com/uploads/1/3/0/7/130740069/xitafaxuvax_moxoluriv.pdf
    • http://files.pianolessonsbyjulie.com/uploads/1/3/1/3/131380868/59baef08.pdf
    • http://files.sansmarket.co/uploads/1/3/0/9/130969377/288917.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0428/8036/8796/files/kutanukalexo.pdf
    • https://cdn.shopify.com/s/files/1/0434/1288/1564/files/dnd_5e_tunnel_fighter.pdf
    • https://cdn.shopify.com/s/files/1/0430/7877/9029/files/xiwapaj.pdf
    • https://cdn.shopify.com/s/files/1/0430/8320/2711/files/71028495826.pdf
    • https://cdn.shopify.com/s/files/1/0431/4421/6730/files/statistical_analysis_definition.pdf
    • https://cdn.shopify.com/s/files/1/0429/1356/2787/files/71055586902.pdf
    • https://cdn.shopify.com/s/files/1/0435/4310/1591/files/octavia_butler_dawn.pdf
    • https://cdn.shopify.com/s/files/1/0431/1092/4437/files/fury_warrior_bis.pdf
    • https://cdn.shopify.com/s/files/1/0448/1161/6418/files/essentials_config_file.pdf
    • https://cdn.shopify.com/s/files/1/0433/5088/4505/files/xusoxu.pdf
    • https://cdn.shopify.com/s/files/1/0447/9261/0977/files/seruzepefukosezozin.pdf
    • https://cdn.shopify.com/s/files/1/0429/6730/2295/files/tulujokafesimukifu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053d4.bin
b37a2f61540d8a7cea360cbaf901b6553648fc8cd199c02b61f7713ac9cf839f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53D4 5284 bytes
font_01_sfnt_off000065c5.bin
75d55d2d1478d0199ef56d9b020acc0af6bb7ed2f7c14e5a1209b5a257201f7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C5 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.