Malicious PDF — malware analysis report

Static analysis result for SHA-256 436e393dc0d7f3c4…

MALICIOUS

PDF

43.0 KB Created: 2020-11-08 18:28:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: c32dee47f418ff7128f84ad0c4e7d73d SHA-1: c287ec614a689c6b445b927a595d353338dd9e20 SHA-256: 436e393dc0d7f3c4a46196e1f3d7c9b7be47aee9bea555960b304653ae27cbf0
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document functions as a link farm, directing users to a malicious redirector URL disguised as a search result for '1998 ap calculus bc multiple choice answers'. The ML classifier strongly indicates malicious intent, and the embedded URLs point to known malicious infrastructure. The document's primary purpose appears to be to drive traffic to malicious sites, likely for further exploitation or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/wb?keyword=1998%20ap%20calculus%20bc%20multiple%20choice%20answers In PDF document text
    • https://fusefediwotedi.weebly.com/uploads/1/3/4/5/134589876/4db85fa47b27e.pdfIn PDF document text
    • https://rolosakuzorega.weebly.com/uploads/1/3/1/3/131379035/mazewemor-mufuzokobupaxe-pipidefij-xiritexirat.pdfIn PDF document text
    • https://pozimetotekiv.weebly.com/uploads/1/3/4/3/134339641/8831862.pdfIn PDF document text
    • https://bilopoxowug.weebly.com/uploads/1/3/4/4/134439404/5443f1.pdfIn PDF document text
    • https://worozimovazez.weebly.com/uploads/1/3/1/4/131406108/5164519.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376379/normal_5f9dc3ca3d9fd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://tetilomolin.files.wordpress.com/2020/11/ejercicios_resueltos_sacar_factor_comun_polinomios_3_eso.pdfIn PDF document text
    • https://besarividem.files.wordpress.com/2020/11/64565099040.pdfIn PDF document text
    • https://bodowekinil.files.wordpress.com/2020/11/pokemon_emerald_hm_location.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dfaeeeb6-5329-4cd1-98b1-a70b03c93d6e/wanorijoge.pdfIn PDF document text
    • https://galitedavaku.files.wordpress.com/2020/11/41531066890.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/43c73d0e-8d9d-485a-9a08-962aa4f5df08/45092085341.pdfIn PDF document text
    • https://tevarew.files.wordpress.com/2020/11/88608638079.pdfIn PDF document text
    • https://zesokipiv.files.wordpress.com/2020/11/sokuw.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066af.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x66AF 5712 bytes
SHA-256: e92521078aa34c8e74aa5c3e1ca6a1bf7b2b4f3725470395e218bd6214bbb493
font_01_sfnt_off00007a04.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7A04 10696 bytes
SHA-256: 998b706c36a8a35a3cc924bc839cc944e1144a4595564d831ab5f38ddbc6f601

Open this report in the interactive analyzer, or submit your own file for analysis.