Malicious PDF — malware analysis report

Static analysis result for SHA-256 27a8e4b10acfc709…

MALICIOUS

PDF

91.7 KB Created: 2021-01-15 14:53:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e383688c5a44a7f2e07fbaa37ce2a222 SHA-1: 7cbdd1fb6aba64aa94ebbd130e20ffd3e161a566 SHA-256: 27a8e4b10acfc7097aad3a5973985d50f56e2ac7293bd5476342c7478f6accef
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple critical heuristics as malicious, including a redirector link and a link farm. The embedded links, such as 'https://traffmen.ru/123?utm_term=assault+mode+activate+tips', likely lead to phishing sites or malware downloads. The presence of numerous external PDF links suggests an attempt to distribute malicious content or engage in SEO manipulation for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/123?utm_term=assault+mode+activate+tips
    • https://cdn.sqhk.co/roretuduva/igicieq/escape_horror_piggy_game_for_robux._new_chapters.pdf
    • https://cdn-cms.f-static.net/uploads/4370056/normal_5fa5b905cdaeb.pdf
    • https://cdn-cms.f-static.net/uploads/4369316/normal_5f8c2250272ff.pdf
    • https://cdn-cms.f-static.net/uploads/4372960/normal_5f889a523e789.pdf
    • https://cdn-cms.f-static.net/uploads/4367632/normal_5f93e82dd1891.pdf
    • https://cdn-cms.f-static.net/uploads/4382407/normal_5fdc7d75057ab.pdf
    • https://nugekepujipa.weebly.com/uploads/1/3/4/3/134318644/pelomigesuv-fozagamaj-vejibufisamago.pdf
    • https://static.s123-cdn-static.com/uploads/4486374/normal_5fc51258832c8.pdf
    • https://static.s123-cdn-static.com/uploads/4409806/normal_5feb0bfe9343b.pdf
    • https://cdn-cms.f-static.net/uploads/4415964/normal_5faf3b5ca2020.pdf
    • https://cdn-cms.f-static.net/uploads/4469828/normal_5fa657dc64b73.pdf
    • https://static.s123-cdn-static.com/uploads/4423780/normal_5feb36fbebb16.pdf
    • https://static.s123-cdn-static.com/uploads/4404497/normal_5ff2533632fb3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010527.bin
c8b7ff9d34b08fd1478ba8871d2285d790882be03e79022634f59ea6bd701105		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10527 5172 bytes
font_01_sfnt_off000116b1.bin
fa98316bad0ee393e4244be63b1d230beb4724cf855be96ad4f2c87a5b302ae2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x116B1 2140 bytes
font_02_sfnt_off0001208b.bin
e2db8f5a48cc9508b40dd924ca056016d70aa368c64eb874df23c91c8539e8c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1208B 11952 bytes
font_03_sfnt_off0001499a.bin
31b0f88f8ab213b2d0efb1604e9e92ec04882cab675f7e0285d55621881b0c23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1499A 16716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.