Malicious PDF — malware analysis report

Static analysis result for SHA-256 844f62eb55977b78…

MALICIOUS

PDF

47.1 KB Created: 2020-08-30 15:51:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fcff8cf5a9ecec4bc0b12b34b10ed234 SHA-1: e941ec03d99e81acc478d3f3a19f8b959d2c086a SHA-256: 844f62eb55977b783e9fb7a745f8ffb9485271910ed8a9b0b7b42b57181d8c46
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, with one specifically pointing to a known malicious redirector. The document body, though heavily obfuscated, also contains this malicious URL, suggesting an attempt to disguise malicious activity as educational content. The ML classifier strongly indicates maliciousness, and the presence of a redirector link is a high-confidence indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=adding+and+subtracting+unlike+fractions+word+problems+worksheet
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0432/3590/1602/files/dark_cloud_weapon_chart.pdf
    • https://cdn.shopify.com/s/files/1/0435/1547/8176/files/musuvisimewofeveweves.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/bixebor.pdf
    • https://cdn.shopify.com/s/files/1/0429/8070/4405/files/tapunuti.pdf
    • https://cdn.shopify.com/s/files/1/0431/4156/2522/files/wiwutorir.pdf
    • https://cdn.shopify.com/s/files/1/0431/4637/9426/files/rejorarurisa.pdf
    • https://cdn.shopify.com/s/files/1/0429/3997/3788/files/xivunenesorono.pdf
    • https://cdn.shopify.com/s/files/1/0431/0079/9140/files/linux_boot_iso.pdf
    • https://cdn.shopify.com/s/files/1/0430/8746/2551/files/desperate_housewives_episode_guide_season_5.pdf
    • https://static.usrfiles.com/ugd/b8c837_93df851ba33a428ba21dde46959a3e73.pdf
    • https://static.usrfiles.com/ugd/09273f_b02e97994c3f4915aef09abe03c99fcd.pdf
    • https://cdn.shopify.com/s/files/1/0433/1533/1227/files/20458713575.pdf
    • https://cdn.shopify.com/s/files/1/0434/3198/5309/files/the_toughest_indian_in_the_world.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e07.bin
6b055489a98b4c73b2397e1246fd7c93305ac0249ea291efecbd52fea7804f60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E07 5856 bytes
font_01_sfnt_off000071d2.bin
3c33abd7bb533342e28987ae1cf98fd9cbc705e069434f18e62a624c0d51c99b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71D2 10556 bytes
font_02_sfnt_off00009607.bin
16b7aa981c665a35d0a4f648dd93b4606505e3da63e86b2165f4717afa7834f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9607 17412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.