Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ef5604b94a401d4…

MALICIOUS

PDF

79.0 KB Created: 2020-09-10 17:50:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad25d234460155c43bb9d87ebbedb019 SHA-1: 94a37724b6c7c7b4d9575e80c49376c10997e4d5 SHA-256: 7ef5604b94a401d41166dc0fb212669b5d18c79aaabf61f124d6e36a2f6a29a6
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link to a known malicious redirector, which is designed to lead users to further malicious content. The document also includes a large number of links to external PDFs, suggesting a link farm or SEO poisoning attempt. The presence of a callback lure heuristic indicates a potential phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=godex+g300+barcode+printer+driver
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static.usrfiles.com/ugd/834936_bc5c69b2e6394aa49a5545ceda5345f7.pdf
    • https://static.usrfiles.com/ugd/c7a620_436be6207403405c836f94e6067e38f2.pdf
    • https://static.usrfiles.com/ugd/3649d2_e4b7a82267f844d286c77e0d21a8681d.pdf
    • https://static.usrfiles.com/ugd/98e2de_f77018ac57a94b3f906bbfa920f52570.pdf
    • https://static.usrfiles.com/ugd/eb6612_7d426bf07a3248ac9e004e21f6533f4b.pdf
    • https://static.usrfiles.com/ugd/96768c_aee964086c534403bf74b1305bcab913.pdf
    • https://cdn.shopify.com/s/files/1/0431/4297/1553/files/veledofo.pdf
    • https://cdn.shopify.com/s/files/1/0434/8474/1798/files/63742273397.pdf
    • https://cdn.shopify.com/s/files/1/0460/1197/3799/files/lung_volumes_and_capacities_definitions.pdf
    • https://cdn.shopify.com/s/files/1/0431/8769/9876/files/campaign_finance_reform_supreme_court.pdf
    • https://cdn.shopify.com/s/files/1/0431/0541/9418/files/bachelor_thesis_computer_science.pdf
    • https://cdn.shopify.com/s/files/1/0432/9160/7190/files/23558671441.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c190.bin
aff11289bf87f92bc53c0e2abc335208e29b6db8a954e82fd0a5595ffa95d344		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC190 2880 bytes
font_01_sfnt_off0000cbce.bin
d3eb83560a29a33473ab586800fe7f763c8fce1287356e15c7fe88e7a044d2ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCBCE 5424 bytes
font_02_sfnt_off0000de53.bin
13014fe9febe84bcd00948825405765d5f10cf4bdc3d95aa335829e83519aed9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE53 13804 bytes
font_03_sfnt_off00010add.bin
9dd161ad083bde31f1785977080a21cd00ffd1d65af7312c0685ba069ea0c2ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10ADD 16152 bytes
font_04_sfnt_off00011fe3.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FE3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.