Malicious PDF — malware analysis report

Static analysis result for SHA-256 685329ac2b2ab06d…

MALICIOUS

PDF

95.5 KB Created: 2020-10-21 01:44:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 5c253db25b11c4b353f0195daebb899d SHA-1: 3c5852134334100ad81f5e63be762c4cd65f356f SHA-256: 685329ac2b2ab06deb27b0623bf35e655dd0c9f012e91def1b18d360057204eb
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded links, many of which point to disposable hosting services and redirectors, indicating a link farm designed to drive traffic to malicious sites. The presence of a known malicious redirector URL further supports this. Although no scripts were explicitly extracted, the PDF structure and embedded links suggest an attempt to exploit users through deceptive content, likely leading to further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9632

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=la+seconda+moglie+english+subtitles In PDF document text
    • https://xopaluwejur.weebly.com/uploads/1/3/1/8/131857284/80f858ada.pdfIn PDF document text
    • https://xazapadikud.weebly.com/uploads/1/3/1/8/131871762/6310841.pdfIn PDF document text
    • https://pagofere.weebly.com/uploads/1/3/1/3/131398194/waminafegojux_penuniwise_lefaz.pdfIn PDF document text
    • https://sakukavazu.weebly.com/uploads/1/3/1/3/131379729/9282679.pdfIn PDF document text
    • https://riwisasivituw.weebly.com/uploads/1/3/1/0/131070703/7337237e7b527c.pdfIn PDF document text
    • https://ligofaxudatejot.weebly.com/uploads/1/3/0/7/130739538/3496381.pdfIn PDF document text
    • https://bedizegoresupa.weebly.com/uploads/1/3/1/3/131379398/3794757.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://www.indictrans.orgIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f5f7aab-f25f-4b58-9d9b-b1558165c83f/taserifakedowenax.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/772027d6-ba11-48f0-a7e0-06058edc3597/dimakagoxusopabodama.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5aa96390-b5be-4631-9225-cc8ccd7c6669/22070299740.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c2de216-7738-43d7-94a4-cfd21382c34e/my_very_own_lilith_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6686287a-e2f2-42bf-822e-f503f0ebb579/laxikenej.pdfIn PDF document text
    • https://s3.amazonaws.com/tadovu/html_to_python_script.pdfIn PDF document text
    • https://s3.amazonaws.com/fasanag/twinkle_twinkle_little_star_piano_notes.pdfIn PDF document text
    • https://s3.amazonaws.com/leguvefu/guzukavofowoxisoxesig.pdfIn PDF document text
    • https://s3.amazonaws.com/jamokaroxoj/castrol_vecton_15w40.pdfIn PDF document text
    • https://s3.amazonaws.com/mijedusovineti/janigusebidasodogodukodox.pdfIn PDF document text
    • https://s3.amazonaws.com/fasanag/folasunolalatez.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/0792/4635/files/14211707095.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/5940/7765/files/lelerawaberizajexev.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/5407/8871/files/smirnoff_vodka_calories_and_carbs.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/4719/3238/files/american_cinematographer_manual_download.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0498/3272/2599/files/galaxy_buds_manual_download.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_016_off00013bd9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13BD9 18892 bytes
SHA-256: ad63db25de4e7b269b2592bcd7525a98b526d2d753116db3c13cee84e8d0d93e
font_00_sfnt_off00006465.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6465 7916 bytes
SHA-256: b6d8f72b59c47e884b0b6746a25c5cbd96eb494928042fd8f7d2b0ad088f297a
font_01_sfnt_off000078c4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x78C4 4032 bytes
SHA-256: a849b76f9363f6e208a6b3b97826a54f7c8e554eb642b232eb64e54d4f8be3d6
font_02_sfnt_off00008735.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8735 5336 bytes
SHA-256: b568d48a864d9b404fc15337671d3205c301a8aef06a0bb11c2895ec8115ae9b
font_03_sfnt_off00009926.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9926 2656 bytes
SHA-256: 1620336da6018abf771a3b64a4739dbc5cc5761e5bcfd31f9568e9163b5e6178
font_04_sfnt_off0000a42b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA42B 4140 bytes
SHA-256: b7882c459d94d9fb05ee491b72d0ee9c35e8d4bc9ed5787c7a0b3ba78fd6bc86
font_05_sfnt_off0000b149.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB149 3048 bytes
SHA-256: e23308bb06bff427f4fe2d795198e016b2e9db23d45fd702446b15ef1a1323d1
font_06_sfnt_off0000bd55.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBD55 2328 bytes
SHA-256: 6d897259d7ab9db79b0dbb16904cd99ff486aa7f4a475590a5d3e44eab6e0eed
font_07_sfnt_off0000c80e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC80E 2604 bytes
SHA-256: d4cda5a9ecb2558448f754249352cd4d73a8f7efff03060ee9a54ebf713292d1
font_08_sfnt_off0000d2eb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD2EB 3840 bytes
SHA-256: 869700f7b438b0b0f23cfbf3a170597ae1a6b01e9ba9f60fe7298d5eefb98f81
font_09_sfnt_off0000e102.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE102 2108 bytes
SHA-256: b3976ad28991401f3a7e0d936621f3963ed8fd81aff5bedc9e25cf6548b1959b
font_10_sfnt_off0000eae0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEAE0 4336 bytes
SHA-256: 87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284
font_11_sfnt_off0000f880.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF880 6148 bytes
SHA-256: 0b38f6fd5e0b54bfa22d5adee1cfe00629fe134100fc7cfc1ad14a2ab7974207
font_12_sfnt_off0001086a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1086A 16700 bytes
SHA-256: 2be3ae6b2e401e89c9d2485206d2c64c33b796f6761af2dd14ecc87331ffb888
font_14_sfnt_off00015b35.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15B35 3536 bytes
SHA-256: 1cc80836e0a54a2c4db1185994f1ac0eab94f7f28d8d60f500043b8ef5b5dd0a