Malicious PDF — malware analysis report

Static analysis result for SHA-256 310f2e426fb78e35…

MALICIOUS

PDF

35.2 KB Created: 2020-10-05 01:53:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: a9f43b9c53d132964a5099fa5b1f8db9 SHA-1: ca2d982799cde0b2fb6b3893b867ce2e02a339de SHA-256: 310f2e426fb78e357808e358b005a97386cae2056a0c6ea038122295c62a6836
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one specifically identified as a known malicious redirector. The document body, though heavily obfuscated, includes the target URL and other suspicious domains, suggesting a phishing or redirection attempt. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=entrepreneurship+theory+in+practice+3rd+edition+pdf In PDF document text
    • https://site-1042983.mozfiles.com/files/1042983/81590637756.pdfIn PDF document text
    • https://site-1037145.mozfiles.com/files/1037145/sunowu.pdfIn PDF document text
    • https://site-1037240.mozfiles.com/files/1037240/kilupevaligomizajijuzuvu.pdfIn PDF document text
    • https://site-1040216.mozfiles.com/files/1040216/livupedowaxapebap.pdfIn PDF document text
    • https://site-1036719.mozfiles.com/files/1036719/95733696824.pdfIn PDF document text
    • http://zilikal.alma-cac.org/uploads/1/3/1/4/131437462/jimafutunube_dusadokivul.pdfIn PDF document text
    • http://files.goentreecare.com/uploads/1/3/1/6/131636655/090c7e.pdfIn PDF document text
    • http://redevajix.excel-education.ca/uploads/1/3/1/4/131437402/laror-mibuse-nerubojopu.pdfIn PDF document text
    • http://winas.recraftandrelic.com/uploads/1/3/0/7/130776255/vilumuzoke_topifejefuguve.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e5f508fe-3964-40b0-a1dc-5e94f4d92206/46061285989.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/744ad0d1-7b65-495e-bd51-7df734626f8e/86434579714.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/328314c6-c4f1-4408-92ac-f769c3d1c2e0/zodikuwafeje.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f1d182a8-4814-4b32-a517-14934450cc6c/73413921695.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cb92167e-d44b-407b-a476-5da067a55191/57694652574.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b15.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4B15 5436 bytes
SHA-256: 6b40d27fa390d0ac519b3d9cca605942b7d996902a737566dad5873a5d08ff6e
font_01_sfnt_off00005d95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5D95 10076 bytes
SHA-256: d4274dfffe900cd24e59bf624c64ac81c8a3554ad2dfb21e7624dce8add9c961