Malicious PDF — malware analysis report

Static analysis result for SHA-256 a19176197ba68606…

MALICIOUS

PDF

53.5 KB Created: 2020-10-25 04:28:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fb38b498856392a583ea60458056a4ee SHA-1: 6e85d18cd49f7d3a977cb4770899255f7a78ae2c SHA-256: a19176197ba68606aff86126a0026b6caee5c6b589c97bda6f368477bd25c908
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to redirectors and link farms designed to manipulate search engine results or lead users to malicious content. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' indicates that at least one of these links directs to known malicious infrastructure. While no scripts were explicitly extracted, the nature of the link farm suggests an attempt to distribute further payloads or engage in SEO abuse, aligning with common phishing and malware distribution tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=canon+rebel+t6+eos+1300d+manual
    • https://vaxajiwozoli.weebly.com/uploads/1/3/1/6/131637631/89ff5f8d2cc3206.pdf
    • https://zadumeredevasax.weebly.com/uploads/1/3/1/4/131453870/2580885.pdf
    • https://misutinulil.weebly.com/uploads/1/3/1/4/131407711/zixoridinugakub.pdf
    • https://ximazula.weebly.com/uploads/1/3/0/7/130738777/4165744.pdf
    • https://jowodetuleguzu.weebly.com/uploads/1/3/1/8/131856173/4ab5330c31.pdf
    • https://cdn-cms.f-static.net/uploads/4382405/normal_5f90b4b962e35.pdf
    • https://cdn-cms.f-static.net/uploads/4372980/normal_5f8891611cbc9.pdf
    • https://cdn-cms.f-static.net/uploads/4374022/normal_5f88d1a510f23.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://cdn.shopify.com/s/files/1/0478/1791/6575/files/7223594527.pdf
    • https://cdn.shopify.com/s/files/1/0481/5916/2521/files/democracy_and_education_dewey.pdf
    • https://cdn.shopify.com/s/files/1/0439/2825/6680/files/lewakegikarugol.pdf
    • https://cdn.shopify.com/s/files/1/0500/4309/3142/files/aruba_controller_cli_guide.pdf
    • https://cdn.shopify.com/s/files/1/0431/4411/8434/files/fezorusov.pdf
    • https://cdn.shopify.com/s/files/1/0437/1634/6007/files/phonocardiography_signal_processing.pdf
    • https://cdn.shopify.com/s/files/1/0268/8657/0184/files/fb_inactive_friends_remover_apk.pdf
    • https://cdn.shopify.com/s/files/1/0497/0217/4877/files/52739144190.pdf
    • https://cdn.shopify.com/s/files/1/0469/4963/0113/files/5500629023.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006abc.bin
0eac1552a6a0cc8d6d43e14f5c157d052ff2bf21460314f67a2c213e0a454e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ABC 6744 bytes
font_01_sfnt_off00007b93.bin
f7885f7204153e9fe5aee2783c9e2171ae9d152d5fa1e687ec261271605b7a89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B93 1596 bytes
font_02_sfnt_off00008390.bin
19739a13152d8caed42667b5171f82b041a42fda661c7a06c8a0578687d98687		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8390 5480 bytes
font_03_sfnt_off00009618.bin
b4612c189547c08664bf7d4b54373b9ed6f3ce12ab666426bb363c25476fede2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9618 10536 bytes
font_04_sfnt_off0000b9f7.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB9F7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.