Malicious PDF — malware analysis report

Static analysis result for SHA-256 52ef0adc3a912488…

MALICIOUS

PDF

65.5 KB Created: 2020-12-21 10:52:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 87bb615c342051418df8525cc01bd879 SHA-1: 98b878c27ac798dd94c024dfca3a81a144df6763 SHA-256: 52ef0adc3a912488e1ac37e8e0d2f5e3834e46b691d88c52d443bc2477cf617f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many pointing to external PDF files hosted on platforms like Weebly and Squarespace, indicating a link farm. One critical heuristic identified a link to known malicious redirector infrastructure. The document body, though heavily obfuscated, contains text related to 'cartoon wars on hbo max', suggesting a lure to a potentially malicious site. No scripts were extracted, but the presence of numerous links to external resources and a critical redirector heuristic strongly suggests a malicious intent to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9140

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?utm_term=why+isn%2527+t+cartoon+wars+on+hbo+max
    • https://rajaxamakato.weebly.com/uploads/1/3/2/3/132302926/f301b678bb3578.pdf
    • https://bizevino.weebly.com/uploads/1/3/4/3/134320064/rilobagisoginutonasa.pdf
    • https://cdn-cms.f-static.net/uploads/4369665/normal_5fa9e9b9dbc6c.pdf
    • https://cdn-cms.f-static.net/uploads/4419637/normal_5fba3d72143c4.pdf
    • https://cdn-cms.f-static.net/uploads/4406454/normal_5fb8abef4bbd4.pdf
    • https://cdn-cms.f-static.net/uploads/4384142/normal_5f8e1a1680e1b.pdf
    • https://zepigebilotexo.weebly.com/uploads/1/3/0/7/130739401/51d5158896b7d2c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe09f7f3de5e49b52b5592/1606289912836/rifovibozajiveko.pdf
    • https://static1.squarespace.com/static/5fc296815e8e827d4298a2f8/t/5fcc43d405ddc9599d1515ba/1607222229402/music_theory_books_for_beginners.pdf
    • https://s3.amazonaws.com/vapite/bluetooth_drivers_for_windows_10.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef62.bin
ebd988983075367613bd39230625cfad84e77b8b42990e1f96f19a603f12e9fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF62 5456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.