Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb8c81344294003b…

MALICIOUS

PDF

106.2 KB Created: 2020-09-04 23:07:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 38c8ca0eb6cf70e1e2896203160acafa SHA-1: 3150f484bc4d92fa0d5eb7e29ee57dd703b14447 SHA-256: eb8c81344294003b21b966540f4f7af323ce96c8f0826b2e8a7ba6f710578144
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link that redirects to a known malicious domain, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The document body, though heavily obfuscated, contains text suggesting it is a "Clat 2014 question paper with answers", which is a common lure for phishing or malware delivery. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=clat+2014+question+paper+with+answers
    • https://static.usrfiles.com/ugd/c2007e_73cb0ebaa4344b54924536f89fca2ec3.pdf
    • https://static.usrfiles.com/ugd/7ff653_379a063574e6407fbac93fd760b6ea32.pdf
    • https://static.usrfiles.com/ugd/b8c837_e03fbc2826624aef8dd0d6211dca4743.pdf
    • https://static.usrfiles.com/ugd/aec2ea_74b541f51d16467185ca38962f24d369.pdf
    • https://static.usrfiles.com/ugd/cfa91a_08bcd7ac9695484b9fdc0b9c74c7a05b.pdf
    • https://static.usrfiles.com/ugd/1df9ea_dfc4734ec9e74d659cc7db16e8a4e076.pdf
    • https://cdn.shopify.com/s/files/1/0437/6556/3549/files/61746509695.pdf
    • https://cdn.shopify.com/s/files/1/0439/2304/6568/files/airline_industry_definition.pdf
    • https://static.usrfiles.com/ugd/4bb103_2ff8b860249247a6978c0b880ff503b1.pdf
    • https://static.usrfiles.com/ugd/4aae87_95746396fa9042d6b305fce0677577f0.pdf
    • https://static.usrfiles.com/ugd/b8c837_933bf5f93a564e5d826650df50e82b30.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015c7e.bin
f114d45e07bb981a10f0bcaf7fe3c6d39792f582854b0a9a994e2c9fd2dcc5f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15C7E 5444 bytes
font_01_sfnt_off00016f1b.bin
6b79566fa5a3de31c10c8a611e581be3b5051b5a2c8dc6c2f45638a4b20eadf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F1B 14464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.