Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c3a5dbcb4b252a3…

MALICIOUS

PDF

54.7 KB Created: 2020-09-18 01:24:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f370227699c8f8caa44e5c1309921053 SHA-1: f8324634195a23f162723c61c709ff2547856ebf SHA-256: 9c3a5dbcb4b252a30dced4e456c922a84c5fd249cbe27851b4a249c442c42972
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier with high confidence and contains numerous external links. One critical heuristic identified a link to a known malicious redirector, and another identified a link farm with 24 external PDF links. These findings strongly suggest the document is designed to lure users to malicious websites or download further malware. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=%25ED%2586%25A0%25EB%25A5%25B4+%25EB%259D%25BC%25EA%25B7%25B8%25EB%2582%2598%25EB%25A1%259C%25ED%2581%25AC+%25EB%258B%25A4%25EC%258B%259C%25EB%25B3%25B4%25EA%25B8%25B0+%25ED%258C%2590%25EB%258F%2584%25EB%259D%25BC
    • http://guteso.painandperformancesolutions.org/uploads/1/3/0/9/130969352/5994286.pdf
    • http://files.barbaracallow.ca/uploads/1/3/0/7/130775084/latutaj.pdf
    • http://files.neemcalendar.org/uploads/1/3/1/3/131382841/8884245.pdf
    • http://files.mulberrylodgewillunga.com/uploads/1/3/0/9/130969600/puxaperawit.pdf
    • https://a749b6ba-aa46-4a2c-a129-f2c8e210eac1.filesusr.com/ugd/954c8b_ccb7c23ef8494906a824e15e09f0f6db.pdf?index=true
    • https://0a035daa-54bf-454d-b2fb-dfd1025b0fe4.filesusr.com/ugd/ef0078_33a91ae7fa64453f83235c70f23cce1d.pdf?index=true
    • https://3f23798d-8861-444e-b630-7cf59ba6f55d.filesusr.com/ugd/3f80ec_b7f3eaab92e64cc2a52fd77f511738a6.pdf?index=true
    • https://1e23c143-1279-4fbc-9e82-f837eabd1913.filesusr.com/ugd/0789d5_754a81f337364f42b1c7c7776131ce01.pdf?index=true
    • https://79ba474b-7d39-445d-b3c1-9aa6a86e0296.filesusr.com/ugd/a51aec_a947e9d1088e4a8eb11b7b319528de0e.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0432/3137/9618/files/24981554359.pdf
    • https://cdn.shopify.com/s/files/1/0437/7952/2714/files/retifexiwibegole.pdf
    • https://cdn.shopify.com/s/files/1/0438/5076/0357/files/anomalias_congenitas_del_aparato_reproductor_femenino.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b30.bin
221a52f419af66453cc86f109a39ee81043e9280d3ca7ad8b668b5b115af31ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B30 25496 bytes
font_01_sfnt_off00009437.bin
c59510f5750770f8548d9a99b9176362a269a73f4b88fa6545bac626d37ced9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9437 4024 bytes
font_02_sfnt_off0000a246.bin
fc5a50539b6821e1b2ece578346e366520df843d0b0fac3db2f321e8ac23fda9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA246 4068 bytes
font_03_sfnt_off0000b025.bin
2c19b4e48acbf4042e7e0f05aada4cb9641147142b3d690ce48d3057ebfe3b1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB025 7952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.