Malicious PDF — malware analysis report

Static analysis result for SHA-256 25244085f820c9c2…

MALICIOUS

PDF

53.7 KB Created: 2020-11-05 05:13:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: c6addb2fb2dede013b1d9c973fa872e5 SHA-1: 1e624a61235dbb68db4d7253250759b1498c58f8 SHA-256: 25244085f820c9c2d2aa14a703bf0b6fcd5c2a784f1ba3bb3cd885c605d89ce6
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file is identified as malicious due to its function as a link farm. It contains numerous embedded URLs that redirect to other PDF files hosted on disposable domains, ultimately leading to malicious infrastructure like 'ggtraff.ru'. The ML classifier strongly supports this assessment. The primary attack pattern involves luring users through a chain of redirects, likely to deliver a secondary payload or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=words+with+trace+in+it In PDF document text
    • https://cdn-cms.f-static.net/uploads/4372707/normal_5f8e33c43583e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369512/normal_5f95971e5616c.pdfIn PDF document text
    • https://xavubetikobu.weebly.com/uploads/1/3/4/4/134474291/789162.pdfIn PDF document text
    • https://lenimupet.weebly.com/uploads/1/3/4/0/134013040/xipavotaxa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446401/normal_5f9e08ce4962d.pdfIn PDF document text
    • https://junoxavod.weebly.com/uploads/1/3/1/3/131384771/fedekedo-jegul-polekawoduzeso-tadupagunakezis.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379974/normal_5f97dd8a586bb.pdfIn PDF document text
    • https://wekubuzebebam.weebly.com/uploads/1/3/0/7/130739705/wudazogutapolur.pdfIn PDF document text
    • https://kubupukadumu.weebly.com/uploads/1/3/1/3/131382740/bumefiruzarofeti.pdfIn PDF document text
    • https://dutitujazekap.weebly.com/uploads/1/3/0/8/130814390/18ad995.pdfIn PDF document text
    • https://jodalutuz.weebly.com/uploads/1/3/4/4/134444421/xegomofimewivek_poruwoz.pdfIn PDF document text
    • https://fumunagik.weebly.com/uploads/1/3/4/5/134520136/06dc968b16ac.pdfIn PDF document text
    • https://tiralilibixadu.weebly.com/uploads/1/3/4/5/134500138/63b8d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407576/normal_5f942e7689de0.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/dcc60afd-d1d0-4895-8c0c-2a352e2d04c8/68303038624.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008743.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8743 4888 bytes
SHA-256: c33c51a80f184ff89ef16f8c7cbe33f675e99b66ba4ebe6b824e695171379d90
font_01_sfnt_off000097ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x97EC 10584 bytes
SHA-256: 1c8863646c1cba52a441a96e9d5e4b416121c6fff6eecc4d3540ca303dc10417
font_02_sfnt_off0000bc37.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBC37 4324 bytes
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3

Open this report in the interactive analyzer, or submit your own file for analysis.