Malicious PDF — malware analysis report

Static analysis result for SHA-256 de6005b99bbef5a2…

MALICIOUS

PDF

57.6 KB Created: 2020-08-07 04:18:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d82b55fad6a4b315dff18db09f1d8bd2 SHA-1: 33940e4999c619bfce8a906ef9c4914b82fb3e8c SHA-256: de6005b99bbef5a2cb1610a8fc1256e72095f3f8b8fd95f191c422c835e1f8a5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded URLs, with a critical heuristic firing for a link to a known malicious redirector. The document body, though partially corrupted, contains text related to file downloads and includes the malicious redirector URL. This suggests the PDF is designed to trick users into visiting the redirector, likely leading to further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/pify?keyword=integration+formula+pdf+file+download
    • http://files.hattrick3c.com/uploads/1/3/0/7/130776648/fukidovividuzejuve.pdf
    • http://files.andrewfcartertraining.com/uploads/1/3/1/6/131606758/79d6d1.pdf
    • http://files.rammrcclub.net/uploads/1/3/1/0/131069961/9368020.pdf
    • http://files.basdelemstrings.com/uploads/1/3/2/6/132682327/bisakosoti.pdf
    • https://cdn.shopify.com/s/files/1/0431/5512/8477/files/23604169330.pdf
    • https://cdn.shopify.com/s/files/1/0436/1669/8526/files/niwoxiwakowugen.pdf
    • https://cdn.shopify.com/s/files/1/0432/0965/4436/files/pirejusatosatolotem.pdf
    • https://cdn.shopify.com/s/files/1/0435/0348/5092/files/fundamentals_of_applied_electromagnetics_ulaby.pdf
    • https://cdn.shopify.com/s/files/1/0430/8992/0154/files/sobewubovugipij.pdf
    • https://cdn.shopify.com/s/files/1/0437/6536/6933/files/knight_s_sword_osrs.pdf
    • https://cdn.shopify.com/s/files/1/0450/6189/8390/files/leaflet_jantung_koroner.pdf
    • https://cdn.shopify.com/s/files/1/0435/0512/3493/files/33267784075.pdf
    • https://cdn.shopify.com/s/files/1/0433/0664/7717/files/buboronadakazekono.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005dc9.bin
d9571139ff8a1abd8314ea41e07eea3f4dc54e306663ca8c0f62a18da99d631a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DC9 5212 bytes
font_01_sfnt_off00006f82.bin
d0c9e33916e9e64e42e31bcf0d345f6c2fcd41735b1a34df0119bd0eb1094281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F82 3720 bytes
font_02_sfnt_off00007ae6.bin
8a1bbb790cee7d65978163c1a73c1a5f9c896d6d4f1a138faefdfc8a77eabe74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AE6 15224 bytes
font_03_sfnt_off0000aa79.bin
35d3440dae1ebc896564e4e6f70ea95aa3a30a1ac603c7fffbb21b68b8b72e2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA79 16036 bytes
font_04_sfnt_off0000bf1f.bin
e4e9f51daf47f7db59bff9e83eff651305e3fdc6c063b1cb2622371475fbbc5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF1F 7492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.