Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b77a651d12d1405…

MALICIOUS

PDF

56.6 KB Created: 2020-11-26 08:54:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9f63d5bdabe8be73c0a1c11ab0f09e39 SHA-1: af4a235d91d121d95498683432b10aaf12b048ba SHA-256: 1b77a651d12d1405b6b7b7f46d27e0e566f0ba076ed627c59690ef989a2fda53
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of embedded links, with at least one pointing to a known malicious redirector. The heuristic PDF_MALICIOUS_REDIRECTOR_LINK and PDF_SEO_LINK_FARM indicate a deliberate attempt to create a link farm. The ML classifier and ClamAV detection further support its malicious nature, classifying it as phishing or a trojan. The document body, though heavily obfuscated, contains text related to 'predator prey simulation online', suggesting a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9877

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/strik?utm_term=predator+prey+simulation+online
    • https://cdn-cms.f-static.net/uploads/4366045/normal_5f86f5a4ddb6e.pdf
    • https://cdn-cms.f-static.net/uploads/4409801/normal_5fbd3be28a0ca.pdf
    • https://gililizu.weebly.com/uploads/1/3/4/7/134770310/bedoderexakika.pdf
    • https://cdn-cms.f-static.net/uploads/4459028/normal_5fadc97f00f29.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ad595fe2-e520-4a2a-817c-695144e4b3e6/fekubejekov.pdf
    • https://s3.amazonaws.com/mavixu/warefuzoluz.pdf
    • https://uploads.strikinglycdn.com/files/b79cf490-18ce-47c3-9ad9-9abbcbdbaa1a/dragon_ball_capitulo_3.pdf
    • https://uploads.strikinglycdn.com/files/9b011371-417e-4285-9b23-a0d23b9f8d97/98502115970.pdf
    • https://uploads.strikinglycdn.com/files/37965620-1777-4815-83b0-da7309b9882d/witoxemojorojo.pdf
    • https://s3.amazonaws.com/dazifozixawus/billionaire_full_video_song.pdf
    • https://uploads.strikinglycdn.com/files/8ab861cb-b1bb-4a2d-8854-40e02bfe9e98/qyt_kt-7900d_and_kt-8900d_user_manual.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c62b.bin
62b8cc7a83d28e9b811162e8098e726e1a01d70afdbe1f61b284c0cfad040d1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC62B 5208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.