Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d427275be85b157…

MALICIOUS

PDF

41.4 KB Created: 2020-11-08 13:49:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: e71e621f53f2db189df6580bc5233d4d SHA-1: 95846a4f9f9b7b51cb16cd973bcb2b0ad99b96c2 SHA-256: 5d427275be85b1573bd9e988279adaa6e92a09be51d5803b34624063f5638038
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a prominent one pointing to 'https://trafftec.ru/aws?keyword=broussard+middle+school+calendar'. This URL, combined with the heuristic 'PDF_SEO_LINK_FARM' and 'PDF_SEO_UTM_REDIRECTOR_LINK', suggests a phishing or SEO-based malicious redirection scheme. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the document's structure and embedded links are indicative of a lure for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?keyword=broussard+middle+school+calendar PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4452852/normal_5fa78d4eba549.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369323/normal_5f89ef83d9877.pdfIn PDF document text
    • https://nirumoxizexajiv.weebly.com/uploads/1/3/4/5/134524745/tagofivawo-nezojes-pejat.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365582/normal_5f896df4cfd52.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381756/normal_5f8c3f4ba81ea.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413703/normal_5f9c99e35a25a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/508c0a5b-beb0-41ac-92ec-b9b2939f0e42/aston_martin_vanquish_manual_conversion_for_sale.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6ec32215-e0cd-4949-8451-951394b485c9/lodufuzowebukidoza.pdfIn PDF document text
    • https://rirosap.files.wordpress.com/2020/11/tajowawiwategabezefifog.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dc312519-618a-4eb8-a948-26a5c4ea7822/kibagesaxaju.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc560481-1131-4e58-a3ee-9a3e5740fe1d/nokizuva.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fac1cb66-212e-42af-9727-cb31e58f5cf0/10237163748.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/038f26bf-bbfa-4872-a4c0-1e0ee58db513/xitevu.pdfIn PDF document text
    • https://s3.amazonaws.com/jamokaroxoj/21447141046.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4ff00670-3fae-4abd-aa51-285854f08f72/jijumejalibuzujudusobabuk.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x64FB 5228 bytes
SHA-256: 5a7a83a758ec21a434433f32f9653cc5a3e7f143e69890b3afc2fda41f78a0ae
font_01_sfnt_off00007693.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7693 10000 bytes
SHA-256: 7873da2bbef399139f6c3aed34a705884327def38cc46d62788336f49bb0452b