Malicious PDF — malware analysis report

Static analysis result for SHA-256 fccd243ebce3db9d…

MALICIOUS

PDF

44.2 KB Created: 2020-08-11 20:14:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: db10ed94ce5e86f4f7df7bab414c389e SHA-1: ff92261f8e681e1a5c40eb907e1bdc3aae89fc97 SHA-256: fccd243ebce3db9d191619070b528e62cd1380f7238fe53540381ef34da2d45e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by a critical heuristic for linking to known malicious redirector infrastructure. Additionally, it contains a large number of embedded URLs, suggesting a link farm or SEO poisoning tactic. The ML classifier also strongly indicated maliciousness. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine a more specific attack pattern beyond the malicious link distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=car+wash+business+plan+presentation+pdf
    • http://files.karrathacaravanpark.com.au/uploads/1/3/1/4/131437949/9115762.pdf
    • http://files.haafa.org/uploads/1/3/0/7/130776509/602615.pdf
    • http://denifetag.asimuk.com/uploads/1/3/0/8/130813592/muzug.pdf
    • http://files.placentatrainingcompany.com/uploads/1/3/1/6/131606890/8765209.pdf
    • http://files.earth-shine-llc.com/uploads/1/3/2/3/132303378/985532.pdf
    • https://cdn.shopify.com/s/files/1/0431/7764/0093/files/18812076677.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/siwizobudavegi.pdf
    • https://cdn.shopify.com/s/files/1/0430/5541/5445/files/89688244066.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nejoxalivivurotuzepebibus.pdf
    • https://cdn.shopify.com/s/files/1/0436/9219/5993/files/fisiopatologia_del_absceso_hepatico_amebiano.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/83583068491.pdf
    • https://cdn.shopify.com/s/files/1/0434/4732/0728/files/nefuzidizanikumu.pdf
    • https://cdn.shopify.com/s/files/1/0428/4894/4295/files/jajajuzelokezujasazajez.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/31903895201.pdf
    • https://cdn.shopify.com/s/files/1/0427/7728/0671/files/get_him_to_the_greek_putlocker.pdf
    • https://cdn.shopify.com/s/files/1/0429/3361/6803/files/17356906796.pdf
    • https://cdn.shopify.com/s/files/1/0430/8706/9335/files/24296999849.pdf
    • https://cdn.shopify.com/s/files/1/0430/7792/7072/files/61170209935.pdf
    • https://cdn.shopify.com/s/files/1/0433/4351/1703/files/mapebemagevanivitetux.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e04.bin
acdc80e915363e605101cbb9a1035ad657929b7a0e37887ef625ba9ca600d505		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E04 5264 bytes
font_01_sfnt_off00007fef.bin
b9ba719549d31eaefbfcc6eb125facd920235f7cda8875da95f92b146540d619		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FEF 10264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.