Malicious PDF — malware analysis report

Static analysis result for SHA-256 15b74f39132664ad…

MALICIOUS

PDF

78.8 KB Created: 2020-11-23 13:45:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 42d6e3c44725350e830d9621fc72292b SHA-1: 9d0705935c3cb6765d94a83a4ee3033808fdf24f SHA-256: 15b74f39132664adb4e66fa5aee632b14d43bdc01692b910e66c3baec79e9f26
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple critical heuristics for containing malicious redirector links and a link farm. The ML classifier also strongly indicated maliciousness. While no scripts were extracted, the presence of a malicious redirector URL suggests an attempt to lead the user to a phishing or malware distribution site, aligning with a spearphishing attachment attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=every+shot+counts+red+dead+redemptio
    • https://cdn-cms.f-static.net/uploads/4417815/normal_5f97b6d6a66a4.pdf
    • https://fulojozizarotuv.weebly.com/uploads/1/3/4/3/134318677/443f2.pdf
    • https://kuserivexujeza.weebly.com/uploads/1/3/4/3/134331384/2328332.pdf
    • https://firedisivimi.weebly.com/uploads/1/3/0/9/130969818/milawo.pdf
    • https://cdn-cms.f-static.net/uploads/4369318/normal_5f8b227c74e1c.pdf
    • https://cdn-cms.f-static.net/uploads/4419415/normal_5f9b15a05747e.pdf
    • https://pufabakorulur.weebly.com/uploads/1/3/4/3/134320636/c1dbd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/lakujusitejojet/alfabeto_hebreo.pdf
    • https://s3.amazonaws.com/pizivurapab/titoritenojepege.pdf
    • https://s3.amazonaws.com/sisaxu/9231118057.pdf
    • https://uploads.strikinglycdn.com/files/4db7fe46-442c-408a-bdbf-e005d7830f49/madosokivinifupajov.pdf
    • https://uploads.strikinglycdn.com/files/2b8fa421-ee1f-4e01-a01a-b2e7fbb484b1/52851056795.pdf
    • https://s3.amazonaws.com/rujimidujek/ketovenufifal.pdf
    • https://s3.amazonaws.com/zozuxukoxo/to_aganara_tulasi_mu_title_song.pdf
    • https://uploads.strikinglycdn.com/files/c7e828e9-ddbe-49dd-9109-a0311b0890a9/records_of_declaration_disbursements_division.pdf
    • https://uploads.strikinglycdn.com/files/72458ea7-de96-4c25-8f9a-386a7098e6fe/towigirenubekije.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e702.bin
3aa90b264e70ef581401076d8a07052397fbdcc7cea76790d18b3cd7a034179d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE702 5280 bytes
font_01_sfnt_off0000f8d7.bin
a858ff688fec8f7322dea6fdbd2daabce852e9160164e3e10a20ad8615066f61		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8D7 11356 bytes
font_02_sfnt_off00011f84.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F84 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.