Malicious PDF — malware analysis report

Static analysis result for SHA-256 189170bb94ffc73d…

MALICIOUS

PDF

74.2 KB Created: 2020-10-29 11:44:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 118a7bfb291f4b8cc059b91dcec363f1 SHA-1: de347d6ca979ab28b88123b86fdcab2aa059af28 SHA-256: 189170bb94ffc73d771f907ca2a71291dc65f8e199b5b2169f20841fa30c0776
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and routes users through malicious redirector infrastructure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/123?keyword=rhymes+with+room In PDF document text
    • https://dejolezeg.weebly.com/uploads/1/3/2/8/132815968/surepakedubujenuzu.pdfIn PDF document text
    • https://fakimodixoto.weebly.com/uploads/1/3/0/7/130739088/binadamejosenedo.pdfIn PDF document text
    • https://wubobuxidozexe.weebly.com/uploads/1/3/4/3/134322977/vigibebikam-fukoxewewazowa-gemaxag.pdfIn PDF document text
    • https://towimoni.weebly.com/uploads/1/3/4/3/134340956/dapupadurulisaf_zoxex_kowovokak.pdfIn PDF document text
    • https://taxajadotediru.weebly.com/uploads/1/3/0/8/130873824/7254862.pdfIn PDF document text
    • https://kanudepu.weebly.com/uploads/1/3/2/7/132740929/powukaw_sunuf_ruziwi.pdfIn PDF document text
    • https://xuzowezawejinat.weebly.com/uploads/1/3/4/3/134378303/1794311.pdfIn PDF document text
    • https://xufiwelak.weebly.com/uploads/1/3/1/1/131164558/xipil.pdfIn PDF document text
    • https://sasenepekevob.weebly.com/uploads/1/3/4/2/134266747/xubovorexixom.pdfIn PDF document text
    • https://tavumake.weebly.com/uploads/1/3/2/7/132740551/gerilulivomek.pdfIn PDF document text
    • https://jawowigo.weebly.com/uploads/1/3/0/7/130774982/zelubukuxomep.pdfIn PDF document text
    • https://repafajekojila.weebly.com/uploads/1/3/4/3/134305679/fc2cfa3b217.pdfIn PDF document text
    • https://misutinulil.weebly.com/uploads/1/3/1/4/131407711/8315006.pdfIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://s3.amazonaws.com/zamuriza/72818398767.pdfIn PDF document text
    • https://s3.amazonaws.com/zirojopemup/47621781889.pdfIn PDF document text
    • https://s3.amazonaws.com/bubodeliza/xeredemalakasilej.pdfIn PDF document text
    • https://s3.amazonaws.com/gupuso/79323837355.pdfIn PDF document text
    • https://s3.amazonaws.com/vavabi/warhammer_fantasy_bretonnia.pdfIn PDF document text
    • https://s3.amazonaws.com/roware/81362987510.pdfIn PDF document text
    • https://s3.amazonaws.com/gedimuta/73314996180.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000093c9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x93C9 3332 bytes
SHA-256: d34259f5fe648219f51495ecb7962b33c972df7439e809a56e875ed7b55ba7f1
font_00_sfnt_off0000634e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x634E 6068 bytes
SHA-256: 92701bf5013f93b9f879ab9eec550dac013380f55235121ceafb19a221fddae2
font_01_sfnt_off0000783c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x783C 4884 bytes
SHA-256: 6376777faa3c744a1a5630a76569ac33925bc532657fb5dd17a33b0a7fd95afd
font_02_sfnt_off000088c5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x88C5 2656 bytes
SHA-256: dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5
font_04_sfnt_off0000a0f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA0F5 2108 bytes
SHA-256: d117309382da938f7dffedc42f90dd4217b4d540d75629b80669d975ecbc171e
font_05_sfnt_off0000aac0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAAC0 6640 bytes
SHA-256: 538512be6c526ea957b587fa229624d829dca4873b622d187784a60d2c877fcd
font_06_sfnt_off0000bc5e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBC5E 16000 bytes
SHA-256: ca54f8431fb2bcdc13d2568fb950d3e0a44098d84d7423bc8b049a824f9fe79d
font_07_sfnt_off0000eb08.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB08 18812 bytes
SHA-256: 7ace09ee4fc7e73cb3bdc5ea9a55ea8c1e8c591d4235fe6cf945f7a028cbad93
font_08_sfnt_off00010974.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10974 3556 bytes
SHA-256: b37282e47715d058972705a341a9b8c13cb6ae940d9ae0550d0b5ae5cc375df7

Open this report in the interactive analyzer, or submit your own file for analysis.