Malicious PDF — malware analysis report

Static analysis result for SHA-256 30381bbe748ad640…

MALICIOUS

PDF

40.8 KB Created: 2020-07-13 19:00:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f99ccd74360c3a001a743a7f50d112ce SHA-1: 781ed4a929496df88c49d8021b1d650218bdc9f6 SHA-256: 30381bbe748ad6400d51ce841406a08e7346cac62f4e45a598ea1b925068371b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to domains associated with link farms and redirectors. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and 'PDF_SEO_LINK_FARM' indicate that these links are intended to lead users to malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious. The document body appears to be malformed or truncated, but the presence of 'wkhtmltopdf' and 'Qt' suggests it was generated by a tool, possibly to obscure the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=tecnicas%20de%20episiorrafia%20pdf
    • http://files.raquelmeraki.com/uploads/1/3/2/7/132740860/3354846.pdf
    • http://files.delibythebeach.com/uploads/1/3/1/4/131407152/bogujip.pdf
    • http://files.theglamstationspa.com/uploads/1/3/1/3/131383645/5cde4eb.pdf
    • http://files.inspiredlearninglab.org/uploads/1/3/1/4/131437172/7144681.pdf
    • http://files.thegaydybunchfamily.com/uploads/1/3/1/8/131856173/mawavenukururufojen.pdf
    • http://files.kimkirch.com/uploads/1/3/0/7/130775827/welobozutudirol-fulunim.pdf
    • http://files.sgesurfreport.com/uploads/1/3/0/9/130969657/mizetodisefeju.pdf
    • http://files.myapplepodcast.com/uploads/1/3/1/4/131455621/63580.pdf
    • http://files.sgesurfreport.com/uploads/1/3/0/9/13
    • https://rodimudesa.files.wordpress.com/2020/07/xivazeki.pdf
    • https://nobijip.files.wordpress.com/2020/06/dovekegawepu.pdf
    • https://loxijesuvoti.files.wordpress.com/2020/07/82014496646.pdf
    • https://mabumuwilux.files.wordpress.com/2020/07/muvudosog.pdf
    • https://cdn.shopify.com/s/files/1/0429/6101/0842/files/zenuxibuzilafuj.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/32343356061.pdf
    • https://cdn.shopify.com/s/files/1/0427/9821/9420/files/dovosasegot.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/89647405972.pdf
    • https://cdn.shopify.com/s/files/1/0431/2065/6545/files/vidusonoxatiruguseku.pdf
    • https://cdn.shopify.com/s/files/1/0430/7917/2257/files/82413980923.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/zevuwuvufotolotatagonisex.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006179.bin
17c6a1eae9445e398a83b725a1169792542c9885998347759ed3ede5a3b953b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6179 4776 bytes
font_01_sfnt_off000071a6.bin
40f568e2787e88b50b3028b59eaf2e989de80a2c218938e8ff348f9d8f365ccc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71A6 10716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.