Malicious PDF — malware analysis report

Static analysis result for SHA-256 763e64c93f0d1aaa…

MALICIOUS

PDF

43.6 KB Created: 2020-07-09 02:54:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2faebc58b1443b5c1d6cebc8744f778e SHA-1: bdde847d7cef4dc64df2b68334f182d6e4ce5b2b SHA-256: 763e64c93f0d1aaa572e86e734f0c970c5322e0f216afa1da3b8b97061d291d5
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external PDF files hosted on various domains. One critical heuristic identified a link to known malicious redirector infrastructure, and another flagged the document as a link farm on disposable hosting. The ML classifier also strongly indicated maliciousness. This suggests the document's primary purpose is to act as a distribution point for other malicious or SEO-manipulating content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=manual%20velocimetro%20bicicleta%20cateye
    • http://files.wilkespe.com/uploads/1/3/1/0/131070379/2243810.pdf
    • http://files.shaftesburyyoungpeople.org/uploads/1/3/1/6/131637325/bigema.pdf
    • http://files.communityoff-road.com/uploads/1/3/1/1/131164418/wapariwejak.pdf
    • http://files.finksdeli.org/uploads/1/3/2/7/132741222/5b0259.pdf
    • http://files.makeupbybb.com/uploads/1/3/1/3/131381712/zinomezumajiwet_xamaminiwoxesus_radan_gekero.pdf
    • http://files.sedonaweddingessentials.com/uploads/1/3/0/8/130814124/5461353.pdf
    • http://files.cateringandcreations.net/uploads/1/3/0/8/130814513/9295549.pdf
    • http://files.elizabethkpetersonlab.com/uploads/1/3/1/3/131384789/sibufajoj-xuvini.pdf
    • http://files.windycityknittingguild.com/uploads/1/3/2/7/132712323/450507.pdf
    • http://files.cafedatalkalamode.com/uploads/1/3/1/4/131483550/3bbbf7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://zepajexoj.files.wordpress.com/2020/07/75591622465.pdf
    • https://dudibes.files.wordpress.com/2020/07/dipoxeso.pdf
    • https://xujeveva.files.wordpress.com/2020/06/fugaxakafomelominigivi.pdf
    • https://sepozux.files.wordpress.com/2020/07/66593703989.pdf
    • https://jagenanevor.files.wordpress.com/2020/07/vawabulibugaboti.pdf
    • https://regubixuxuv.files.wordpress.com/2020/07/gaxerevixabugejetuxekuzu.pdf
    • https://pesurudogi.files.wordpress.com/2020/07/7096487780.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/68905528383.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/51191810805.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/volobufepafolosovi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000606c.bin
3f6879a3178718c82d99ef55505602c273c580f1f3ee5dd000f0c86789f83466		 pdf-font-stream PDF embedded font (sfnt) at offset 0x606C 4956 bytes
font_01_sfnt_off00007139.bin
7d74807ab21e35f9adda7acdaeaad34d025305bcceb11611902656c8568e0b63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7139 16548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.