Malicious PDF — malware analysis report

Static analysis result for SHA-256 461983311305d691…

MALICIOUS

PDF

34.7 KB Created: 2020-10-30 03:23:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: afafe8cd59adea1fbcbaa29b6bf82fdc SHA-1: ed95c6eadee718c639b63a43ce892beb3cd4320d SHA-256: 461983311305d691ed6db4361d83b225dc3a4a364a799187895ec88c6e62492c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document was flagged as malicious due to a high number of embedded links, many of which point to known redirector infrastructure. The document body contains garbled text but includes a URL that appears to be part of a link farm designed to distribute malicious content. No scripts were extracted, but the sheer volume of suspicious links suggests an attempt to lure users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/aws?keyword=the+photographer%2527s+eye+composition+and+design+pdf
    • https://kilejotiwig.weebly.com/uploads/1/3/1/4/131406519/274455.pdf
    • https://dabituge.weebly.com/uploads/1/3/4/3/134344098/7544966.pdf
    • https://cdn-cms.f-static.net/uploads/4386089/normal_5f9124eeb06da.pdf
    • https://feloxoxux.weebly.com/uploads/1/3/4/0/134000485/wiloguxavuwo_bugidem_mawejemexebi_bazebelitu.pdf
    • https://cdn-cms.f-static.net/uploads/4366399/normal_5f8e8c9051b03.pdf
    • https://cdn-cms.f-static.net/uploads/4369506/normal_5f8b436f2ef58.pdf
    • https://xexegetogud.weebly.com/uploads/1/3/4/3/134375989/leviwubanopo_jidowoterut_bugizewoxi.pdf
    • https://cdn-cms.f-static.net/uploads/4366057/normal_5f8a5325dcf26.pdf
    • https://damijuvik.weebly.com/uploads/1/3/1/3/131381376/fuxurepuneso_degufub_gerakujuvox.pdf
    • https://cdn-cms.f-static.net/uploads/4366337/normal_5f87347e38bda.pdf
    • https://cdn-cms.f-static.net/uploads/4366364/normal_5f8738d951a1d.pdf
    • https://cdn-cms.f-static.net/uploads/4367297/normal_5f924fac9b364.pdf
    • https://cdn-cms.f-static.net/uploads/4421776/normal_5f97e1ceeff20.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7ebd9b26-d50f-43ee-a4ba-a141dee03a45/20978580528.pdf
    • https://uploads.strikinglycdn.com/files/ad16e3ff-4ca8-438e-9d53-9309f86d0659/semelamegese.pdf
    • https://uploads.strikinglycdn.com/files/d67bc726-d57d-4e46-aed6-f2f913faf3e1/nunewufuwe.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006aec.bin
147fddd09e0125dda1e80015f4098ffd47f2a8d01ac63cd23504142d90f0ea62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AEC 5412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.