Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c7e921b7ba0e99f…

MALICIOUS

PDF

40.8 KB Created: 2020-10-15 05:45:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 2ecacd92f3c2d178696a64b023a26b68 SHA-1: ff0c3df8d62df97442f532a78a6612d99450abcd SHA-256: 3c7e921b7ba0e99fab6ba994eec068fa741621ebfac884a9e1943a985f438e14
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many pointing to disposable hosting, indicating a link farm designed to manipulate search engine results or redirect users to malicious sites. One critical heuristic identified a link to known malicious redirector infrastructure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/pify?keyword=fitness+gym+app+android In PDF document text
    • https://sepikupi.weebly.com/uploads/1/3/0/7/130738949/9930655.pdfIn PDF document text
    • https://wurikosaradusif.weebly.com/uploads/1/3/1/3/131384544/c10996.pdfIn PDF document text
    • https://fupexorugukemig.weebly.com/uploads/1/3/0/8/130814763/5652282.pdfIn PDF document text
    • https://fijojonibiw.weebly.com/uploads/1/3/2/6/132681787/vifotatilaw.pdfIn PDF document text
    • https://gidixelasulam.weebly.com/uploads/1/3/0/7/130739099/5aecbec99.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365591/normal_5f876c39e05c0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367633/normal_5f8763734ce35.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ce28794-d8bf-4347-b521-e842b69da226/63857854563.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fea95157-1cd6-482b-9c35-e8d2299b1243/84315502518.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3fd46ff8-3287-459c-8163-44b1d5b1b87e/85785526756.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e524a54-015b-4b4b-ac6e-97fedb0f36d9/gixidop.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b9d75dc-b995-48e9-8acf-65ad3c2e5d02/wigitavepafo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4121ecc-9309-422b-a8dc-dacad875b569/pudamanuwiganope.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5bd6b6ae-c62b-4b70-9afc-3a92455d06a8/lixelujezaxusoj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1d56accd-d818-4c15-9c37-7641884d5f6b/53136403177.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88ed4e68-aff8-4f0d-b6f0-1ec07959ece8/37702233108.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/23f35046-00da-4104-9de7-400b7ba1d1d8/newojusamomekagikivinol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/961e2f00-f0ea-4151-b94b-ce0fbc83a7c4/gowumisigikufexudi.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/3707/2280/files/200_ft_ethernet_cable_outdoor.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0503/2080/1942/files/rgpv_3rd_sem_syllabus_mechanical.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/4171/6389/files/how_to_draw_a_bow_and_arrow_from_minecraft.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000061da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x61DA 5304 bytes
SHA-256: d81d2353610c117646851cb61a804071cbd3e9206f128b0e488118d796996951
font_01_sfnt_off000073cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x73CD 10060 bytes
SHA-256: 6cc7ba7bbd267fcba80570f999b1be16401544210e1e84c7951b7539b3e17c80