Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b6403ddfcca0787…

MALICIOUS

PDF

56.0 KB Created: 2020-09-01 09:50:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6344389bc502693676fef5f98e826aea SHA-1: e378a1fce4952ad88262b9670dfc94d602e9a5ff SHA-256: 7b6403ddfcca07871930c53674529c710ede6fa6b8d7711ffa1053bec8010491
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to a redirector service. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' indicate that this document is part of a scheme to direct users to malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious. The presence of embedded URLs and the overall structure suggest an attempt to exploit users through deceptive links, potentially for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=du+booster+app+free
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://static.usrfiles.com/ugd/cfbfd2_2b8314aa980f40a184abb815c389ea91.pdf
    • https://static.usrfiles.com/ugd/529dbf_f7875e99c0d04b2495dc2de384e336ef.pdf
    • https://static.usrfiles.com/ugd/d162e3_571b917e1b4b4168b6f8ec2ba81fcddb.pdf
    • https://static.usrfiles.com/ugd/cc03df_d6d30238c7d542aeaada7665dd0da6c0.pdf
    • https://cdn.shopify.com/s/files/1/0437/2057/3082/files/drenagem_linftica_manual.pdf
    • https://cdn.shopify.com/s/files/1/0427/9740/0223/files/92784285176.pdf
    • https://cdn.shopify.com/s/files/1/0437/1444/5465/files/dietitians_association_of_australia_enteral_feeding_guidelines.pdf
    • https://cdn.shopify.com/s/files/1/0429/4869/0076/files/a_practical_english_grammar_exercises_1_third_edition.pdf
    • https://cdn.shopify.com/s/files/1/0430/2379/4337/files/loduxozubafami.pdf
    • https://cdn.shopify.com/s/files/1/0437/7480/4126/files/ebay_kleinanzeigen_app_kostenlos.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/3215656586.pdf
    • https://cdn.shopify.com/s/files/1/0435/3739/9960/files/kaneko.pdf
    • https://cdn.shopify.com/s/files/1/0437/2958/4282/files/89828534081.pdf
    • https://cdn.shopify.com/s/files/1/0431/7754/1787/files/24438705135.pdf
    • https://cdn.shopify.com/s/files/1/0430/5505/5002/files/41580960084.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/48975286879.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000055be.bin
ecea2c7a2aba2e8dc08959a5de57812338e67fc6b8830b4219b26e0ea7750c09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55BE 5628 bytes
font_01_sfnt_off0000695a.bin
2386068f7a73a9f1c684ba6296c5021819071ca54571ed7fff7ef555150aac7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x695A 1736 bytes
font_02_sfnt_off000071c1.bin
a60bc4a202d0e95634a78fb0ad7eae65c77ec4d2ba5b5ae9d449b57c1f292ea8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71C1 5004 bytes
font_03_sfnt_off000082c3.bin
593a452f0795506ac97007ad32b21767cc543cb1bc716fd74108abb5279d52e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82C3 6640 bytes
font_04_sfnt_off00009461.bin
e1d23b201bb935f2c2cc7695923df684676ba4c24e5fbbba81c6bb04e22d22fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9461 11172 bytes
font_05_sfnt_off0000b9ab.bin
1d51a6b93399a7e5d37a4c6c955e359f6dd0914d14d5f2931b1ba318fedaf79c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9AB 16920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.