Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f800945a584d1b0…

MALICIOUS

PDF

59.5 KB Created: 2020-12-17 14:29:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7724aa82812186cd01ad69a3698b00d2 SHA-1: 776f5c8755a5217961b06039f1d761e8cc695ac5 SHA-256: 5f800945a584d1b03d49d53a318a45a00895689e99dce698e9047ac7e406c10c
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to external websites, including a known malicious redirector. The document body, though corrupted, suggests a lure related to pet grooming. The presence of multiple PDF links and a malicious redirector indicates an attempt to lead the user to potentially harmful content or phishing sites. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=lisas+pet+grooming+turlock
    • https://static.s123-cdn-static.com/uploads/4489440/normal_5fc3b6b541d4c.pdf
    • https://bomejafir.weebly.com/uploads/1/3/4/7/134725936/vubav_rizelit.pdf
    • https://savakofanedekin.weebly.com/uploads/1/3/4/8/134872369/6688633.pdf
    • https://zugozoriv.weebly.com/uploads/1/3/4/7/134770463/damavenaxukup_gurigisexagoji_ratitivadujazor.pdf
    • https://cdn-cms.f-static.net/uploads/4470964/normal_5fd8997c6ca3d.pdf
    • https://cdn-cms.f-static.net/uploads/4455198/normal_5fb2910fd2356.pdf
    • https://kajipeluvo.weebly.com/uploads/1/3/4/3/134318391/tevinoguzeme-gusabiwe-jinimomapopul-vepazaj.pdf
    • https://cdn-cms.f-static.net/uploads/4413012/normal_5f9dfd5001c57.pdf
    • https://cdn-cms.f-static.net/uploads/4490369/normal_5fd6c5ed0b201.pdf
    • https://static.s123-cdn-static.com/uploads/4408596/normal_5fc3cc27de0fa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/beb5f27e-1eae-4764-9bc0-2c319032c331/kukitari.pdf
    • https://uploads.strikinglycdn.com/files/99728c65-1320-4481-96f9-bf46196f7700/mumunuzakorupidu.pdf
    • https://uploads.strikinglycdn.com/files/80cb28b6-55b0-4135-9796-665f0a897301/85921532006.pdf
    • https://uploads.strikinglycdn.com/files/8706a89c-9565-4b94-ba0d-803ec5c4a301/rexowoxig.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ad71.bin
05594ef9b7ab840a4d928e13e574393dbbdbb5fc56425ca674ec8252f266a4ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAD71 5256 bytes
font_01_sfnt_off0000bf45.bin
da5b5462a37e6fbecdcc4de0273797a1d89421a712e28e09d14a57908ea1553c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF45 9952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.