Malicious PDF — malware analysis report

Static analysis result for SHA-256 5dae0fb41f8c0d25…

MALICIOUS

PDF

70.8 KB Created: 2021-01-23 17:09:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 7ae1fc83375df39e2b074919a747d624 SHA-1: e40b1be2f47056b1c1f96371ad143e7b3bf6f16d SHA-256: 5dae0fb41f8c0d25871122013e2a6effb35cab2607adac18eac7efb1b8f17efa
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs pointing to various external PDF files, many hosted on disposable domains. This behavior is indicative of a link farm, likely used for SEO manipulation or to distribute further malicious content. The ML classifier strongly flagged this PDF as malicious, and several heuristics confirm the presence of malicious redirector and link farm infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/123?utm_term=module+7+study+guide In PDF document text
    • https://site-1166657.mozfiles.com/files/1166657/38070353839.pdfIn PDF document text
    • https://lifexego.weebly.com/uploads/1/3/0/8/130874678/xivixituwaj.pdfIn PDF document text
    • https://cdn.sqhk.co/zuxosutuku/ij3oDfI/yellowstone_national_park_interesting_facts.pdfIn PDF document text
    • https://cdn.sqhk.co/lerapuraroke/ichcWia/jutosomoduvenaxulapivej.pdfIn PDF document text
    • https://tazabojadikeze.weebly.com/uploads/1/3/4/6/134648043/bed99afca4b7f8.pdfIn PDF document text
    • https://pixizibonemitu.weebly.com/uploads/1/3/1/3/131382366/wupofoxuzififufe.pdfIn PDF document text
    • https://divekoworubu.weebly.com/uploads/1/3/4/0/134017674/jizufub.pdfIn PDF document text
    • https://vawosogujatu.weebly.com/uploads/1/3/5/2/135293246/f3e47e6285d86.pdfIn PDF document text
    • https://cdn.sqhk.co/nesixepo/uHOhg16/download_metal_slug_shooting_game_mod_apk.pdfIn PDF document text
    • https://site-1168007.mozfiles.com/files/1168007/dual_stick_fighting_2_player_mod_apk.pdfIn PDF document text
    • http://zefakelilivaxo.iblogger.org/47877299253.pdfIn PDF document text
    • https://pemiroma.weebly.com/uploads/1/3/1/3/131383733/5579673.pdfIn PDF document text
    • https://fumevido.weebly.com/uploads/1/3/0/8/130874276/926621.pdfIn PDF document text
    • http://merogerofame.66ghz.com/jatovidu.pdfIn PDF document text
    • https://kipunazumalimak.weebly.com/uploads/1/3/4/7/134755782/9134450.pdfIn PDF document text
    • https://lixojubenolida.weebly.com/uploads/1/3/4/3/134375882/lovebojonitidefu.pdfIn PDF document text
    • https://litazotivov.weebly.com/uploads/1/3/0/7/130740097/6461397.pdfIn PDF document text
    • https://kelurefuvaw.weebly.com/uploads/1/3/0/9/130969237/7839866.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d865.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD865 4876 bytes
SHA-256: 0806d8cf78ccd8663ab5b9cde9ba5e560500bf2e647f40104827bf14488e0e1d
font_01_sfnt_off0000e92b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE92B 10864 bytes
SHA-256: f3170a11310c9cdc1d747c406227c4fe5e0bbcb5484acdef557510885cbe54aa

Open this report in the interactive analyzer, or submit your own file for analysis.