Malicious PDF — malware analysis report

Static analysis result for SHA-256 30f7c9ee426a59ac…

MALICIOUS

PDF

108.6 KB Created: 2020-10-28 23:40:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 92a4b9d53d8df95c7e55284b2fe4c765 SHA-1: 9bfde6eff2e1c09c1de3d5b10c9020cf4ff8c7f3 SHA-256: 30f7c9ee426a59ac64dd4884c1e7e3361d015a3022cc3d8a440c02d67f2c6fc9
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a deceptive link that redirects to a malicious URL, identified by the 'PDF_MALICIOUS_REDIRECTOR_LINK' heuristic. The document body, though heavily obfuscated, contains the same malicious URL. The presence of numerous external links, many pointing to disposable hosting, suggests a link farm designed to distribute malicious content or engage in SEO abuse.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?keyword=ramayanam+sundara+kandam+in+tamil+pdf+free+download In PDF document text
    • https://gixapogaruxa.weebly.com/uploads/1/3/4/3/134331356/4f64fc5fc4c9f1.pdfIn PDF document text
    • https://niparazuxadema.weebly.com/uploads/1/3/4/0/134040736/7124624.pdfIn PDF document text
    • https://tedumuwoke.weebly.com/uploads/1/3/1/3/131397970/6270435.pdfIn PDF document text
    • https://nosekuge.weebly.com/uploads/1/3/2/7/132740467/9134513.pdfIn PDF document text
    • https://dofazodasi.weebly.com/uploads/1/3/0/8/130873943/libor.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/felasorarabipis/bar_chart_questions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de2c4ead-995c-4e75-9896-8cc5a4f2c9da/30768622320.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6bdebb3-077c-4ef0-b3ec-e90a85564fca/precalculus_9th_edition_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d40c94ce-303d-49e1-89ce-1744e87863d2/wozisalisukos.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/4422/3131/files/long_multiplication_and_division_worksheets.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/874c247a-437a-42f2-a4ae-945ec94cdc28/71746862906.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0498/7584/5278/files/wagizoroxetix.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/09a05497-5e66-4c6f-8d18-4997cb65420e/tikob.pdfIn PDF document text
    • https://s3.amazonaws.com/susopuzupure/bonang_matheba_book_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f12614df-adce-4a18-b12d-88cbd856bad7/1027300910.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/141878a7-17fa-49be-b463-4328d391f696/nawarelisumo.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0494/2230/3399/files/14590488351.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/09c20c48-d2ae-4054-ad66-094c5f5f8ca6/zusesorizewidiz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e450fa23-c60f-4b31-803f-b41b6cdf4184/korefob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8527ecd7-a4e3-49ba-89b1-318b6f32ca19/94257649976.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/03ed14bc-f771-466b-8ef3-4611d24647fc/dipijiselokibukikix.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a761cd86-d122-40b7-9f6a-ca133125e79b/tikuzibiso.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27bf3a3b-880a-4375-8c22-8c8f40b6a73d/diferencia_entre_algebra_y_aritmetic.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/8335/3249/files/to_be_verb_forms.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/8173/7393/files/77835033907.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off000160df.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x160DF 29148 bytes
SHA-256: ee3b9c3721b2d7caa2e8c7de441ce0547cbf0cbb135b3383bbf3c323b74674fe
font_00_sfnt_off0000fb0b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB0B 3012 bytes
SHA-256: a399fe96af801c2052f662cdbde4f42b4a683414ee7bc8e1620d29cb9b520efd
font_01_sfnt_off000105d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x105D2 5336 bytes
SHA-256: c6fbcaf11dc7e0d337209554e9206cf8a84522960d630d2a79ca306fe6ebf265
font_02_sfnt_off000117f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x117F6 13380 bytes
SHA-256: 2b651799644892ba78581d78572381cba6b7b2fa70280531490cf524304ec85a
font_03_sfnt_off000137fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x137FB 12472 bytes
SHA-256: 2c70d74618a93a39ec257de82990549a92067aaefb2a793d7a75669231fb7f44
font_05_sfnt_off00019461.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19461 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378

Open this report in the interactive analyzer, or submit your own file for analysis.