Malicious PDF — malware analysis report

Static analysis result for SHA-256 895651b88df425c1…

MALICIOUS

PDF

52.2 KB Created: 2020-08-09 22:49:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f816c774af343012cdeab2d36579309c SHA-1: 530a2a26cb574bf3bbe36f8219d224718884e530 SHA-256: 895651b88df425c1a15f3494e0b81e9066fd1eadc6937eb8b660f460b65e7514
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to external PDF files hosted on various domains. One of these links, 'https://ttraff.cc/pify?keyword=aquatic+ecosystem+notes+pdf', is flagged as a malicious redirector. This suggests the document is part of a link farm or SEO poisoning campaign designed to drive traffic to malicious sites. No scripts were extracted, but the presence of the malicious redirector and the sheer volume of links indicate a high likelihood of user redirection to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=aquatic+ecosystem+notes+pdf
    • http://navenuwaj.xenastrategies.com/uploads/1/3/2/3/132303189/bdd0403b829e319.pdf
    • http://sogajisut.design-digest.net/uploads/1/3/0/8/130873851/9589755.pdf
    • http://files.dreamhighstudio.com/uploads/1/3/1/4/131407692/487ccc479fa9.pdf
    • http://files.pickeringchurch.com/uploads/1/3/1/6/131606291/0560dfce6907.pdf
    • http://files.mhaedc.org/uploads/1/3/0/8/130874284/tobumug_zarod.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0431/0089/7440/files/reasoning_questions_for_sbi_clerk_2020.pdf
    • https://cdn.shopify.com/s/files/1/0429/6104/3605/files/vibudigurol.pdf
    • https://cdn.shopify.com/s/files/1/0431/3841/6801/files/69457222426.pdf
    • https://cdn.shopify.com/s/files/1/0429/0691/0887/files/nogibesel.pdf
    • https://cdn.shopify.com/s/files/1/0433/7221/6483/files/beretta_m9_owners_manual.pdf
    • https://cdn.shopify.com/s/files/1/0435/3143/6186/files/91923849082.pdf
    • https://cdn.shopify.com/s/files/1/0427/8072/1311/files/timagamivubomakugotaga.pdf
    • https://cdn.shopify.com/s/files/1/0432/7591/1321/files/27554474111.pdf
    • https://cdn.shopify.com/s/files/1/0440/5470/8389/files/89697881315.pdf
    • https://cdn.shopify.com/s/files/1/0430/8706/9348/files/one_tech_genius.pdf
    • https://cdn.shopify.com/s/files/1/0432/7030/7995/files/87622616198.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/poxusulijupidokubeb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008d20.bin
cd7889cf7439aa48a08858cc06f458b552274bf0cdbad3bc078316f1e1dbfac5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D20 5388 bytes
font_01_sfnt_off00009f73.bin
0f9d48209f21cf22cf3428472c9fb58a2dc5f0078a75934dd64846a1d792feb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F73 11216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.