Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b03a8bc958627ad…

MALICIOUS

PDF

61.1 KB Created: 2020-11-25 23:20:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8d2a596f86c434200fef361ef34dad6c SHA-1: 3a567c7bf8f1152af3925ff5d6ab596f47a3d1f9 SHA-256: 1b03a8bc958627ad489e2aedd89faffbd303e195b62987b90edd9165b2073dbb
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of embedded links, many pointing to disposable domains and Weebly-hosted PDFs, indicating a link farm. One critical heuristic identified a link to known malicious redirector infrastructure. ClamAV also detected this file as a phishing trojan. The document's primary function appears to be redirecting users to potentially malicious or SEO-manipulated content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7544

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/aws?utm_term=attack+on+titan+2+switch+performance
    • https://vufevilasok.weebly.com/uploads/1/3/4/3/134314299/wiwomaxa_zelidazemev.pdf
    • https://rizenorugeworo.weebly.com/uploads/1/3/4/3/134379336/digebumukej.pdf
    • https://gusumadanu.weebly.com/uploads/1/3/2/6/132695601/pasex.pdf
    • https://vugogirofezufus.weebly.com/uploads/1/3/4/3/134355312/minuk-zonewabajuxib-bogosepejanu-vawalizo.pdf
    • https://laverikiwife.weebly.com/uploads/1/3/4/5/134502667/4004344.pdf
    • https://gokopawe.weebly.com/uploads/1/3/4/4/134493337/lanaxutodi.pdf
    • https://jufopikigon.weebly.com/uploads/1/3/4/3/134309667/beminunij_jixutafaz_penunewaluno_jabopuditawori.pdf
    • https://litovabijoku.weebly.com/uploads/1/3/4/6/134666457/474ad187.pdf
    • https://cdn-cms.f-static.net/uploads/4386829/normal_5fb54801c51d6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ec5e5095-4ebf-495e-8b3a-b56bd0603c44/vogolaletali.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ca9a.bin
87e12f07cd1636312d99838a20a8b571faddfe423d62b2d949e72d64ed3d79c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA9A 5500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.