Malicious PDF — malware analysis report

Static analysis result for SHA-256 79183734e18e3d69…

MALICIOUS

PDF

38.1 KB Created: 2020-08-08 13:44:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68527ad12b67d80cdef47c2c2e8250c1 SHA-1: dd086e6d3ddb0b093a265e92253b445a9afe67b7 SHA-256: 79183734e18e3d69ddd3e71ee300ca7c2db081e0e1488b1c6bffb3cdfde017c6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to a link farm designed to redirect users to malicious infrastructure. The primary malicious URL identified is https://ttraff.cc/pify?keyword=malinconia+ninfa+gentile+bellini+pdf, which is flagged as a known malicious redirector. While no scripts were directly extracted, the PDF structure and embedded links strongly suggest an attempt to lead the user to a malicious site, likely for further exploitation or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=malinconia+ninfa+gentile+bellini+pdf
    • http://files.elmbankrabbitboarding.com/uploads/1/3/0/8/130814297/mumegobu.pdf
    • http://files.schoolpatio.com/uploads/1/3/2/7/132740415/6232202.pdf
    • http://files.dorebowen.com/uploads/1/3/1/8/131871817/ca29a564200d45d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0430/3811/3955/files/breviario_romano_download.pdf
    • https://cdn.shopify.com/s/files/1/0435/6964/3675/files/d3_interactive_line_chart.pdf
    • https://cdn.shopify.com/s/files/1/0431/9507/2674/files/62908081917.pdf
    • https://cdn.shopify.com/s/files/1/0431/7410/1149/files/6533745843.pdf
    • https://cdn.shopify.com/s/files/1/0431/4418/3970/files/zexivabajejerawev.pdf
    • https://cdn.shopify.com/s/files/1/0433/8181/7495/files/solicited_proposal_example.pdf
    • https://cdn.shopify.com/s/files/1/0431/0014/3777/files/42947234023.pdf
    • https://cdn.shopify.com/s/files/1/0430/0944/1953/files/busugibuxofogazavaraw.pdf
    • https://cdn.shopify.com/s/files/1/0434/4243/8310/files/59105812009.pdf
    • https://cdn.shopify.com/s/files/1/0431/3815/4653/files/sanutefugotus.pdf
    • https://cdn.shopify.com/s/files/1/0429/9482/7418/files/45146677947.pdf
    • https://cdn.shopify.com/s/files/1/0430/0495/2735/files/9976212684.pdf
    • https://cdn.shopify.com/s/files/1/0439/2671/6584/files/dusogol.pdf
    • https://cdn.shopify.com/s/files/1/0439/2353/8088/files/49910869696.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005355.bin
38113896f1cafac0a7e332251454e1ee1645928c90b2bd285fed01182c446255		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5355 5196 bytes
font_01_sfnt_off00006522.bin
80c348dd424f5ba3b34728ba292f51cd9fc44e8e8bdcde057ac7e05558cbacf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6522 11360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.