Malicious PDF — malware analysis report

Static analysis result for SHA-256 e34efa6541ce2f06…

MALICIOUS

PDF

62.6 KB Created: 2020-09-21 08:48:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e15ea3c46e8a052868a7fe21ffd283f3 SHA-1: dfb06a4ffbdddf26a0c8f45b0383eae05688e2e6 SHA-256: e34efa6541ce2f06a6e8c8babe4208c760a72b96eac3f3550db59a9efacf2fda
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a link that redirects to known malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains the same URL, suggesting a social engineering lure. The PDF_SEO_LINK_FARM heuristic indicates the PDF is part of a larger link farm, likely for SEO manipulation or to distribute malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=krishna+and+radha+love+story
    • https://cbfeb399-4b40-47bd-8b43-f012326d1caf.filesusr.com/ugd/ca9b0a_f8555ecb69b0465ca009a78d5158f9d4.pdf?index=true
    • https://088cde99-4f93-40cc-abeb-5cca3a738173.filesusr.com/ugd/575fb0_f56d80189d1d4145abd22bbfe4fabe6f.pdf?index=true
    • https://9a4a254a-28f2-4964-9a9c-7c40a9dc1261.filesusr.com/ugd/a31856_09975fc5028d4549ad80a8741c8dfe81.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0428/4763/3575/files/lasozenekomojikurel.pdf
    • https://897fef7f-da3b-4611-932f-289608204408.filesusr.com/ugd/c3f88d_aa8f6eafbaf84da18e0f50a8b6504727.pdf?index=true
    • https://6eba4c05-573e-4de5-92d6-b88bcfc644e6.filesusr.com/ugd/a771bd_54839fe451554c0287211dc865ebae17.pdf?index=true
    • https://96a4e658-dac1-40c7-b8cc-9d9c02eb2fa3.filesusr.com/ugd/4542d9_baaa7f92f1c34a20bd7286cb0d6d07dd.pdf?index=true
    • https://692c34d4-7b48-4bee-8512-4c6ae340c381.filesusr.com/ugd/2ca09c_736ad26498474cf3bf7c93e34316b414.pdf?index=true
    • https://01492bfe-bb15-4f4b-af99-4f2fb0e4963f.filesusr.com/ugd/7d2910_6309c2fd49654c8b9d7c8472b57d6358.pdf?index=true
    • https://3d37ea5d-448c-46d8-9f6b-3de914262f33.filesusr.com/ugd/868b90_7f12dcb9b6654040a64165d9dfaf72c9.pdf?index=true
    • https://a75b368b-9896-49a2-817d-f6142e547ce2.filesusr.com/ugd/1b6cec_fe0811255f2248ab8449d75648347353.pdf?index=true
    • https://51d574c7-a662-4c3b-a5af-e6c2ef5c89be.filesusr.com/ugd/7d2910_e19f0dfc23c24853aaa418b3951abb53.pdf?index=true
    • https://c9084822-92a6-401a-a45c-4c0748c39609.filesusr.com/ugd/f63f29_d7e1a7b58535475aa34b5db9b52afea0.pdf?index=true
    • https://a0110b30-41b6-4ab5-9019-8e2143c7fccf.filesusr.com/ugd/dd6616_880e637c2b5848faa9503f2bfb01cb76.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ab38.bin
590e505856694fb2a2235396c1de59ff9d26c6d8f4c8319956c21404d636fa5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB38 5044 bytes
font_01_sfnt_off0000bc66.bin
d9db6972400b074ffad187fbc8bf37a1658062291a22259ff0feb9cf33bb7b95		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC66 11028 bytes
font_02_sfnt_off0000e0a6.bin
5970570c822852250d8de92eaa88d272f53e52bd5511729a7ee3479476229d84		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0A6 3092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.