Malicious PDF — malware analysis report

Static analysis result for SHA-256 d821ee4d089cdfb6…

MALICIOUS

PDF

36.5 KB Created: 2020-08-30 19:47:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0c8d37afb52a1c259b545fd9f7d033a SHA-1: ab861f785225bf88238b3e8102769bd2afc7ce0b SHA-256: d821ee4d089cdfb6a1998eb141b396c08924315038afc3c9b64f1ce36799f0f0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious by a machine learning classifier and contains a critical heuristic firing for a malicious redirector link. The document body, though heavily corrupted, contains the same malicious URL. The presence of numerous other links to PDF files hosted on various domains suggests a link farm or SEO poisoning attempt, likely to obscure the malicious redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=ismail+ad%25C4%25B1g%25C3%25BCzel+tarihin+pusulas%25C4%25B1+201
    • https://static.usrfiles.com/ugd/a382ee_033b227774724349a457595cb7837ce0.pdf
    • https://static.usrfiles.com/ugd/e5a943_7cd575094d7a40c5ad24dc82caeb551f.pdf
    • https://static.usrfiles.com/ugd/9cc572_91d4363025534b6c90f2bf28e62c7c36.pdf
    • https://static.usrfiles.com/ugd/b8c837_0992f025c53541fca04e5c472a853b50.pdf
    • https://cdn.shopify.com/s/files/1/0435/6279/5167/files/creative_writing_lesson_plans_high_school.pdf
    • https://cdn.shopify.com/s/files/1/0437/2440/6935/files/house_building_plans_free.pdf
    • https://cdn.shopify.com/s/files/1/0429/6137/1290/files/7771486033.pdf
    • https://cdn.shopify.com/s/files/1/0434/7985/9366/files/the_aspern_papers.pdf
    • https://cdn.shopify.com/s/files/1/0438/9309/6600/files/empirical_literature_review_in_research.pdf
    • https://cdn.shopify.com/s/files/1/0429/3948/2278/files/atividades_de_alfabetizao_2_ano.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b26.bin
0edc7f3c2010d35890116dbc2d8b2a8c3811a2ae594eb642167adee2794a67be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B26 5836 bytes
font_01_sfnt_off00005ea2.bin
6164893cbbad63784ea3c97d6d6a42b25d1d0c5352956d43cc1872aa3e05477b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EA2 11680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.