Malicious PDF — malware analysis report

Static analysis result for SHA-256 800df48ef49da36c…

MALICIOUS

PDF

37.7 KB Created: 2020-08-20 13:27:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 71f9d39ed87c4682d0f83772aac3b0f3 SHA-1: 4acd80145c2db1a66c5468fafafb4bb311feeaf8 SHA-256: 800df48ef49da36c6dc525726666e55dd2f80e03d23fe6e5ac88b74d9344010a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was flagged as malicious by an ML classifier and contains a critical heuristic indicating it links to known malicious redirector infrastructure. It also exhibits characteristics of a PDF link farm, embedding numerous external links disguised as reports. The primary malicious IOC is the redirector URL, which is likely used to funnel victims to further stages of an attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=ageing+report+2015+european+commission
    • http://files.aspireinsurancegroup.com/uploads/1/3/1/3/131380308/7418520.pdf
    • http://files.volusiaschoolcounselors.org/uploads/1/3/1/4/131453559/puvononufuzezekuvuni.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0440/2629/8533/files/veramepabegilenudo.pdf
    • https://cdn.shopify.com/s/files/1/0433/6808/7701/files/types_of_bacteriophage.pdf
    • https://cdn.shopify.com/s/files/1/0435/0436/9816/files/gexakapuwajox.pdf
    • https://cdn.shopify.com/s/files/1/0429/3692/6374/files/sizapesinunabupadug.pdf
    • https://cdn.shopify.com/s/files/1/0435/1492/1114/files/21043354731.pdf
    • https://cdn.shopify.com/s/files/1/0433/9970/8821/files/56542533414.pdf
    • https://cdn.shopify.com/s/files/1/0434/7795/8816/files/jusirufiroj.pdf
    • https://cdn.shopify.com/s/files/1/0433/3826/8830/files/bayesian_statistics_for_beginners_a_step_by_step_approach.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053d4.bin
91f50d6fe4035ac8e29478ff02ab62c2650cc3d25ec2fbe4756eadaae7750039		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53D4 5660 bytes
font_01_sfnt_off0000670a.bin
13301015c7a1810e79314d1ecb6fca6f8d9fc2cc1bd9c8f19d617d226bcb817e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x670A 10548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.