Malicious PDF — malware analysis report

Static analysis result for SHA-256 e878e7449f91c9be…

MALICIOUS

PDF

40.9 KB Created: 2020-08-20 02:25:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 194384ed78c968d1ed024a17ba97c6d4 SHA-1: b4e1eb3e59319eb5697162a6f7efc4efa323485f SHA-256: e878e7449f91c9beeb1a2d553a42141db28189a7b0e25447664a7c1918448e7c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged as malicious by a machine learning model and contains a critical heuristic indicating it links to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains URLs that are also present in the embedded link farm. The primary malicious activity appears to be the distribution of links, with one specific URL identified as a redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=balettan+molalledi+malayalam+audio+song
    • http://fuzufuwup.umunano.org/uploads/1/3/0/7/130740141/f615612cba13ee1.pdf
    • http://files.missiontriptraining.com/uploads/1/3/2/6/132682802/tavaxadobitunix_tabuxere_kegukadakedewu_vifubi.pdf
    • http://files.blue-house.org/uploads/1/3/0/7/130739532/juwugitegus.pdf
    • http://files.thewelltraveledteacher.com/uploads/1/3/1/3/131381048/tuxij.pdf
    • https://cdn.shopify.com/s/files/1/0434/6209/9097/files/wenepezujositomuruledekin.pdf
    • https://cdn.shopify.com/s/files/1/0432/5366/1851/files/vuwanedojad.pdf
    • https://cdn.shopify.com/s/files/1/0429/7320/0537/files/xuxigajiwexiwo.pdf
    • https://cdn.shopify.com/s/files/1/0430/2998/7489/files/tisonagadijerol.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/sozolomunegodufedawugiwe.pdf
    • https://cdn.shopify.com/s/files/1/0437/4301/9159/files/37608043716.pdf
    • https://cdn.shopify.com/s/files/1/0432/1440/5793/files/nijase.pdf
    • https://cdn.shopify.com/s/files/1/0434/0501/7255/files/fadokisejezunijuloj.pdf
    • https://cdn.shopify.com/s/files/1/0431/6761/3087/files/sugeladijosu.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/dijev.pdf
    • https://cdn.shopify.com/s/files/1/0440/1194/6134/files/rerifedixonabowat.pdf
    • https://cdn.shopify.com/s/files/1/0430/0449/3987/files/5898450358.pdf
    • https://cdn.shopify.com/s/files/1/0438/8270/9160/files/1161895992.pdf
    • https://cdn.shopify.com/s/files/1/0428/0408/4899/files/kexedinasugarukaloworim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005d13.bin
b23ba39c61458d8f8ee899206a77dab6d9acccdfe6e78387340bf409629d2f1a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5D13 3996 bytes
font_00_sfnt_off00004b76.bin
d4b10eaa3956f595839a6ff99f7d5deb2cb4902711f3c834f6dfa2297bf89938		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B76 5200 bytes
font_02_sfnt_off00006c43.bin
c992f1ae10c21d5947fb1c4af749caee05cac660acffa9eb3a79f4294380f5eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C43 12660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.