Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3f4a4000187fec5…

MALICIOUS

PDF

54.5 KB Created: 2020-08-04 16:17:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 35f5a2b8eccc3ad103bb32aacb848013 SHA-1: 3a96bb8b4e9d0e731a10aeeb0aa99d3ef8172b67 SHA-256: a3f4a4000187fec58f5ca11e8a6be9998dfca3f686414efd4bd8595ed2c17eb7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, directing users to a URL that appears to be a lure for a "bankers adda current affairs quiz pdf". The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the same malicious URL. The presence of numerous other links to benign Shopify PDFs suggests a link farm tactic, likely to obscure the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=bankers+adda+current+affairs+quiz+pdf
    • http://files.oldsskatingclub.ca/uploads/1/3/2/7/132740584/fesina_nebedaka.pdf
    • http://files.remembrancestars.com/uploads/1/3/0/9/130969966/korogewarazib.pdf
    • http://files.plasticproductionallc.com/uploads/1/3/1/6/131636612/72507fd.pdf
    • https://cdn.shopify.com/s/files/1/0434/1320/9246/files/osrs_water_battlestaff.pdf
    • https://cdn.shopify.com/s/files/1/0430/6547/5226/files/71361166870.pdf
    • https://cdn.shopify.com/s/files/1/0429/0058/6649/files/18262526236.pdf
    • https://cdn.shopify.com/s/files/1/0435/2675/0362/files/pexetusamoje.pdf
    • https://cdn.shopify.com/s/files/1/0431/6830/1212/files/wagarusugika.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/93236297381.pdf
    • https://cdn.shopify.com/s/files/1/0428/9236/1887/files/63263916073.pdf
    • https://cdn.shopify.com/s/files/1/0429/1464/4127/files/pofuxej.pdf
    • https://cdn.shopify.com/s/files/1/0428/4363/5879/files/zogizozuxedujudufele.pdf
    • https://cdn.shopify.com/s/files/1/0434/8307/0629/files/73482397193.pdf
    • https://cdn.shopify.com/s/files/1/0431/6663/0037/files/bejusufixizezo.pdf
    • https://cdn.shopify.com/s/files/1/0432/6942/3269/files/wegoxopo.pdf
    • https://cdn.shopify.com/s/files/1/0431/4136/5922/files/20260349644.pdf
    • https://cdn.shopify.com/s/files/1/0438/0593/3730/files/gudonutilapegowop.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074e9.bin
e0e5907ac7b595faff01d4179205a98a056becf4824c3a5af4696df611413da3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74E9 5180 bytes
font_01_sfnt_off00008699.bin
6d226015a64236c89f98e7865bf4fc570acd2df301569eddce19f2b189aa3281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8699 10028 bytes
font_02_sfnt_off0000a8f2.bin
ead7fd593d7f5feef6f283420e9b55f8fa4552f107c64b0063d474dd3355abd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8F2 16164 bytes
font_03_sfnt_off0000be0b.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE0B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.