Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a7f88f70f172bb4…

MALICIOUS

PDF

62.1 KB Created: 2020-11-04 13:00:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a114ed6ca0259f6309223cf18149bdde SHA-1: 1d28a9799712c2fc108245f6755960d21b39198d SHA-256: 3a7f88f70f172bb49befd0ea1e02274435342c3f3fd12f6e695a8755f992edd5
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one identified as a malicious redirector. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains the URL that also fired the malicious redirector heuristic, suggesting the primary purpose is to drive traffic to this malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=fda+recommended+daily+intake+water
    • https://cdn-cms.f-static.net/uploads/4368249/normal_5f87eec22f70e.pdf
    • https://cdn-cms.f-static.net/uploads/4366989/normal_5f8e26d82e4fc.pdf
    • https://dosedoduni.weebly.com/uploads/1/3/4/3/134347632/0351f50e2bfb7f5.pdf
    • https://genigudepa.weebly.com/uploads/1/3/1/0/131070712/vovofofaverun_sawivurovoj_nifawubazox.pdf
    • https://cdn-cms.f-static.net/uploads/4412154/normal_5f9f834926461.pdf
    • https://fotejisatowonu.weebly.com/uploads/1/3/2/3/132302873/vojazulokuvomomapote.pdf
    • https://nowusunomotir.weebly.com/uploads/1/3/4/3/134314498/8816284.pdf
    • https://pofemazavuson.weebly.com/uploads/1/3/2/3/132303373/8976479.pdf
    • https://cdn-cms.f-static.net/uploads/4404964/normal_5f9e030c01642.pdf
    • https://lewotivegil.weebly.com/uploads/1/3/4/3/134320996/xepopewesibebum.pdf
    • https://zoxuzuxebexot.weebly.com/uploads/1/3/0/9/130969059/7989682.pdf
    • https://cdn-cms.f-static.net/uploads/4374199/normal_5f8d4d7ca7051.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zabevog/24925523439.pdf
    • https://s3.amazonaws.com/jepavilutabilel/short_descriptive_essay_example_about_a_place.pdf
    • https://uploads.strikinglycdn.com/files/50026679-869b-44ea-abe9-375f826de17e/tefirojesi.pdf
    • https://uploads.strikinglycdn.com/files/5f91bad7-b216-4e19-8371-9e4ebbf64b74/9478111380.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007372.bin
6cc41274badcbe79f68c0f3a895e386a4985edf4219cb1a80eaba9d942d0792e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7372 12604 bytes
font_01_sfnt_off00009c6d.bin
a33b287ee936f24f252115c870d9265d0a2ded0c2dba743572851dbb4f36487a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C6D 5120 bytes
font_02_sfnt_off0000addf.bin
0c020443714be61c2458dd736ec3a724a9ac7c776480adf30c0cb1c2484a6acf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xADDF 11624 bytes
font_03_sfnt_off0000d59b.bin
6f31d8a09968cb758392806dff4ce0e2643fc3d6dc332c5b9fa07753cf63feee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD59B 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.