Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bc687e7294914a1…

MALICIOUS

PDF

47.3 KB Created: 2020-10-19 09:25:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 508c5dbc92edf7041b8d0703f9aac309 SHA-1: 5424e3d5d7604beb1817401e2a89feb4988625e5 SHA-256: 4bc687e7294914a118faffecbd5ba271373c560f59a0c8e851b0ead6683e5578
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to a redirector service. The primary link identified leads to 'gettraff.ru', which is flagged as malicious. This suggests the document is part of an SEO link farm or a phishing campaign designed to drive traffic to malicious sites. No scripts were extracted, but the PDF structure itself facilitates the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=corsair+void+pro+rgb+usb+driver
    • https://cdn-cms.f-static.net/uploads/4365634/normal_5f8741b42b4e7.pdf
    • https://cdn-cms.f-static.net/uploads/4367283/normal_5f8d1e918c067.pdf
    • https://cdn-cms.f-static.net/uploads/4368964/normal_5f8d037ac79be.pdf
    • https://cdn-cms.f-static.net/uploads/4366366/normal_5f8b39c11f400.pdf
    • https://misutinulil.weebly.com/uploads/1/3/1/4/131407711/7089992.pdf
    • https://finazodaxuvoj.weebly.com/uploads/1/3/2/6/132682535/ragufumakepuxa_musozorelosufuv_rurunufadazif_sakufikizewuvis.pdf
    • https://gawubodukajine.weebly.com/uploads/1/3/0/9/130969599/5840779.pdf
    • https://xuvakaxatal.weebly.com/uploads/1/3/1/0/131070170/lujiwuzov.pdf
    • https://kekerisasil.weebly.com/uploads/1/3/0/7/130775365/2341066.pdf
    • https://cdn-cms.f-static.net/uploads/4386605/normal_5f8cb066cc622.pdf
    • https://cdn-cms.f-static.net/uploads/4367643/normal_5f87a0269a298.pdf
    • https://cdn-cms.f-static.net/uploads/4365567/normal_5f880f1a77dd6.pdf
    • https://cdn-cms.f-static.net/uploads/4369522/normal_5f89a10a55834.pdf
    • https://cdn-cms.f-static.net/uploads/4367665/normal_5f8765a8aa8b3.pdf
    • https://cdn-cms.f-static.net/uploads/4366311/normal_5f875481ded58.pdf
    • https://cdn-cms.f-static.net/uploads/4365600/normal_5f86f832b2b87.pdf
    • https://cdn-cms.f-static.net/uploads/4376599/normal_5f8a6aa037e9f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0242d950-5412-4628-b8d0-652f1c7117c0/kulefujuzebilejirid.pdf
    • https://uploads.strikinglycdn.com/files/653254ca-efe5-456c-9580-c6d95673dd82/dovomepuludevevogiza.pdf
    • https://uploads.strikinglycdn.com/files/a3652636-52b5-432d-8c14-e91461ce37c1/kelusawukavawa.pdf
    • https://uploads.strikinglycdn.com/files/00ce716a-0802-44b4-aa56-ff0dc620223b/94740728220.pdf
    • https://uploads.strikinglycdn.com/files/e2e2dc4f-e7ad-47b7-a386-498b53f0ff7d/82521364125.pdf
    • https://uploads.strikinglycdn.com/files/e728963b-9c47-40be-854e-ccc43fe4973d/plantilla_con_margenes_para_escribir.pdf
    • https://uploads.strikinglycdn.com/files/eaa0dd0d-bbf4-48a9-bc55-add058d04d30/33200894487.pdf
    • https://uploads.strikinglycdn.com/files/93dea412-5e52-4644-a9a0-306a30ac4bf0/26226684599.pdf
    • https://uploads.strikinglycdn.com/files/6e006ae5-a590-4314-9ed6-2512cdcd789c/zitas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079f3.bin
dbddd1e2552873d7ce37d88733b22e51f1fc03ce9014621bcaf73fb08054431e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79F3 5200 bytes
font_01_sfnt_off00008bac.bin
69175ce5b32588b94941fe5fbecd2e30b365997fce22bcf184c486c2613bf04a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BAC 10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.