Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e9b0bc9ad5321d1…

MALICIOUS

PDF

89.3 KB Created: 2021-06-01 05:50:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c1872171a8a1bd1929e788167768b71f SHA-1: 7e8b6b0d19de7f4db2bcad93963b48f3c218895a SHA-256: 6e9b0bc9ad5321d1428215572e7f04d5bec8643a518dedb0ee810b7a5be48c35
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded links, many of which point to external PDF files hosted on services like Weebly and Strikingly, suggesting a link farm or SEO manipulation tactic. One critical heuristic identified a link to known malicious redirector infrastructure, and another flagged the document as a PDF SEO link farm. The ML classifier also strongly indicated maliciousness. While no scripts were extracted, the sheer volume of external links and the presence of a malicious redirector strongly suggest an attempt to lead users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://yafferge.ru/123?utm_term=tata+durashine+roofing+sheets+dealers+in+coimbatore
    • https://posolefuriw.weebly.com/uploads/1/3/4/3/134374222/8321923.pdf
    • https://dipakiwafopij.weebly.com/uploads/1/3/0/7/130740044/nebobazarubek.pdf
    • https://static.s123-cdn-static.com/uploads/4495536/normal_5fe562bcd065e.pdf
    • https://pumelagu.weebly.com/uploads/1/3/2/8/132814433/pabikumozuv-pepapesazol-nivibidivex-vudasuboz.pdf
    • https://rojusonevupa.weebly.com/uploads/1/3/0/8/130814232/wulejupi_tenej.pdf
    • https://cdn-cms.f-static.net/uploads/4422134/normal_603b68fa54e6f.pdf
    • https://cdn-cms.f-static.net/uploads/4379984/normal_60370affc7eca.pdf
    • https://vorevowupi.weebly.com/uploads/1/3/4/6/134633589/kijopupiseg_gesitef.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/52eb43f7-bab6-48f7-9971-f66565361c5f/84412083663.pdf
    • http://wozixokumo.pbworks.com/f/sri_rudram_chamakam_sanskrit.pdf
    • http://sizolasipape.pbworks.com/w/file/fetch/144413196/96885001549.pdf
    • https://uploads.strikinglycdn.com/files/4d2c2986-a5ab-4a33-a3a6-ee47b5c5eb47/73640177996.pdf
    • http://xalomuzavege.pbworks.com/w/file/fetch/144436626/how_much_area_can_a_wood_stove_heat.pdf
    • https://uploads.strikinglycdn.com/files/6e6b0543-825f-4e86-a1d5-7b28b89ca1a5/direvatokute.pdf
    • https://uploads.strikinglycdn.com/files/63db188c-31c9-40e0-9e6d-45745f06b7e4/pagaxujulajaroz.pdf
    • https://uploads.strikinglycdn.com/files/11e01c8b-2424-40f2-85e3-abd5d1668d96/department_of_arts_and_culture_application_form.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011dbb.bin
54fa0a86e6da76e6f611be47b47dc22e07394ff78c42964e26c85b8b025a888d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11DBB 5524 bytes
font_01_sfnt_off0001305e.bin
7f2f74ff08b46c68844bcd11faa7990dfbd9fcdccc0ec246abd711342fe7db28		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1305E 11528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.