Malicious PDF — malware analysis report

Static analysis result for SHA-256 cdc922c464c3cf6c…

MALICIOUS

PDF

39.4 KB Created: 2020-08-19 08:10:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c6c732e9291de3f9cf419368713620f4 SHA-1: 0ee04088bfa81e7d8bb0f39233664f1d1b4d42dd SHA-256: cdc922c464c3cf6c90469b0f111388f267f5ae63070ea3c5e81dcca86b8e8d5e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by a machine learning classifier and contains a critical heuristic indicating a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains the URL that triggered the redirector heuristic. This suggests the primary purpose of the PDF is to lure the user to a malicious site via the embedded link.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/pify?keyword=lagu+aku+dan+dirimu+koes+plus
    • http://files.marjorieorourke.com/uploads/1/3/1/3/131379034/bobevanazaxakowelej.pdf
    • https://cdn.shopify.com/s/files/1/0440/6634/1029/files/16513312038.pdf
    • https://cdn.shopify.com/s/files/1/0431/8684/7903/files/upsc_books_in_marathi_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0429/4000/6559/files/24493985961.pdf
    • https://cdn.shopify.com/s/files/1/0433/9643/2021/files/baby_cartoon_mp4.pdf
    • https://cdn.shopify.com/s/files/1/0431/5286/7477/files/5157137893.pdf
    • https://cdn.shopify.com/s/files/1/0435/4582/1333/files/44545582224.pdf
    • https://cdn.shopify.com/s/files/1/0434/7258/4870/files/78145874507.pdf
    • https://cdn.shopify.com/s/files/1/0430/7927/0554/files/tefaxebewujaxifegubow.pdf
    • https://cdn.shopify.com/s/files/1/0435/4742/6975/files/15135336918.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053c2.bin
ee8ae874436ca08f9fb0052394812fc246b3ca0ecbae4235871722323b883033		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53C2 5284 bytes
font_01_sfnt_off000065a7.bin
55c9ae8399815cf7a78ebe6d51b3ce5ad512a3a0a4935b98f1c0dca3b3ac4858		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65A7 13776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.