Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d5bbe21c84885ce…

MALICIOUS

PDF

40.3 KB Created: 2020-07-10 16:39:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 16fe407f274207373d49a09f241a38ef SHA-1: 532331366c982bfca57da1c7e7675ae7f1e8ca1e SHA-256: 3d5bbe21c84885ce2fba0441f000c44dc0aabc3a86f790c35ab6e6d1a61a52e5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, many of which point to domains that appear to be part of a link farm designed for SEO manipulation. One of the primary links directs to a known malicious redirector. The document body, while containing garbled text, also includes the same URLs, reinforcing the intent to drive traffic to these external sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=scientific%20theory%20by%20frederick%20w.%20taylor%20pdf
    • http://files.nickpateras.org/uploads/1/3/2/7/132710655/d914f150ae.pdf
    • http://files.lockmangenetics.com/uploads/1/3/0/7/130775383/nizejab.pdf
    • http://files.restauranthibiscus.com/uploads/1/3/0/7/130776841/5106130.pdf
    • http://files.inntrex.net/uploads/1/3/2/7/132740923/3860056.pdf
    • http://files.seed2superfood.com/uploads/1/3/2/7/132740545/67c6ac.pdf
    • http://files.ilanabreitman.com/uploads/1/3/1/3/131379295/jenagaguwu_nivar_monenotoboxeku.pdf
    • http://files.briggslambandmutton.com/uploads/1/3/2/6/132681245/rarilutejefif_tasepax_tobofizadomajog_muwuzunurinikig.pdf
    • http://files.josemleyva.com/uploads/1/3/0/7/130775368/xubutidodupafebak.pdf
    • http://files.torydesign.com/uploads/1/3/2/6/132683484/4118292.pdf
    • https://doraxurewaz.files.wordpress.com/2020/06/wanozovufemim.pdf
    • https://sixopeso.files.wordpress.com/2020/07/3660079133.pdf
    • https://tusinapirava602081837.files.wordpress.com/2020/06/vasop.pdf
    • https://tigimizi.files.wordpress.com/2020/07/kafiburudirajuxavedorileg.pdf
    • https://warezofokel.files.wordpress.com/2020/07/37273881731.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/reragijod.pdf
    • https://cdn.shopify.com/s/files/1/0431/2072/2080/files/wagefemezibomegi.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/kiwovanigefuminif.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/duzawubemamomavokam.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006052.bin
cb6dc565a324b3d5f98f916d9d1533470bb61d39f8f569a3e2ad5cdaec922b18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6052 5384 bytes
font_01_sfnt_off000072a0.bin
4c4c2f2257538bd4234921d9f4dac920c867de160d0a64b2ba1a00b8d51282d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72A0 9860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.