Malicious PDF — malware analysis report

Static analysis result for SHA-256 b590ed38f57c3e3e…

MALICIOUS

PDF

44.4 KB Created: 2020-07-08 21:17:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e1ca5837f6b240dc874b347cc3eca604 SHA-1: a0aafd4213f2702914f7601a740540c5fd55413d SHA-256: b590ed38f57c3e3ecc50c4d4b3da7d6c2376138d4d6b857f41ef2561d63de433
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to external PDF files hosted on various domains. The primary link redirects to a malicious URL, suggesting a phishing or malware distribution attempt. The document body text, while partially corrupted, includes keywords related to a 'solution manual', likely used as a lure. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=solution%20manual%20linear%20programming%20and%20network%20flows%20fourth%20edition
    • http://files.custommailservices.com/uploads/1/3/1/8/131871762/8293704.pdf
    • http://files.match-gems.com/uploads/1/3/0/9/130969243/waruxe-gibotusupuwe-viputefetapaj-walugogigebomev.pdf
    • http://files.alanbirtwistle.com/uploads/1/3/1/3/131383664/werox_xapedewero_bemidituziv_zurer.pdf
    • http://files.theworldofmcewan.com/uploads/1/3/0/7/130738814/gibaja_tawix_wododibura_musimetal.pdf
    • http://files.nalinikrishnankutty.com/uploads/1/3/0/8/130874128/mewajuluxojuvafox.pdf
    • http://files.lknailsandbeauty.co.uk/uploads/1/3/2/6/132681938/wovaxale.pdf
    • http://files.ethicsgeneral.com/uploads/1/3/2/6/132681450/gisalu_vesamomu_puwonesijugibe_razaz.pdf
    • http://files.nileinstitute.org/uploads/1/3/1/3/131397934/nelisid.pdf
    • http://files.4u2customize.com/uploads/1/3/2/6/132682565/vezodudepuzefon.pdf
    • http://files.62squadron.com/uploads/1/3/1/3/131384145/3308639.pdf
    • https://xuvifix.files.wordpress.com/2020/06/pokaguvobif.pdf
    • https://pepavujewow.files.wordpress.com/2020/06/fafekodavinefefuzi.pdf
    • https://dozijiroligo.files.wordpress.com/2020/07/12931312126.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/mojarugalemidim.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/68513135127.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/43778875991.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/89120948070.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/files/1

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006299.bin
3c54718809856da229005c83ebe505f072638c3d9caffa681c4b291d9001d617		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6299 3284 bytes
font_01_sfnt_off00006e72.bin
8ae21903530f169a8cc6cdafbf0dc65117d2dff986a5130e33bb6b87e6c8f4be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E72 5596 bytes
font_02_sfnt_off00008150.bin
dd14e0c5cc2b2fa099b42c01974983e0cc5254b3616e0aab9da0b6f2ed81b4da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8150 10048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.