Malicious PDF — malware analysis report

Static analysis result for SHA-256 703c03580694382e…

MALICIOUS

PDF

60.3 KB Created: 2020-10-27 20:39:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 97ffcda428b7698fb4caf20efdd6c4cb SHA-1: 19267df9d341d7b2f8226397c6524dc8935a0984 SHA-256: 703c03580694382e88d7bca531ed61ed41fa2f7af7716e66154ec02af9c28ed3
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a lure promising a license file for Avast SecureLine VPN, which directs users to a malicious redirector and a large farm of links hosted on disposable domains. The embedded links are designed to lead users to potentially malicious content, likely for SEO poisoning or to distribute further malware. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/123?keyword=avast+secureline+vpn+license+file+latest In PDF document text
    • https://tusutaxuwipafu.weebly.com/uploads/1/3/4/4/134403355/3989965.pdfIn PDF document text
    • https://fuparududewon.weebly.com/uploads/1/3/1/8/131856041/mefavulopuxajezul.pdfIn PDF document text
    • https://wekegakusujesal.weebly.com/uploads/1/3/4/2/134266445/8936754.pdfIn PDF document text
    • https://babikovinemixe.weebly.com/uploads/1/3/1/8/131856339/6850936.pdfIn PDF document text
    • https://palifeselaliku.weebly.com/uploads/1/3/4/4/134441248/vupum_takaviterabad_pedokagisox_mizaganulawitib.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368474/normal_5f88a4d2d3ffc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381997/normal_5f8e7974e079b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386349/normal_5f91386199da0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380070/normal_5f9245ce3a025.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369783/normal_5f892d87ed820.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4390383/normal_5f8ebf841c16a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366050/normal_5f8bcbb982c5d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369511/normal_5f8beb6bbab3c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379234/normal_5f93e2fb926e5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410962/normal_5f97b53dbc5a7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372721/normal_5f9328c21b5ae.pdfIn PDF document text
    • https://vuxozajuje.weebly.com/uploads/1/3/1/3/131379873/rezareludufiven-voxodopi.pdfIn PDF document text
    • https://sakukavazu.weebly.com/uploads/1/3/1/3/131379729/lokoluditi.pdfIn PDF document text
    • https://dotigima.weebly.com/uploads/1/3/4/4/134404546/bejipaf.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/suximawo/25630420186.pdfIn PDF document text
    • https://s3.amazonaws.com/wesezuzuvalirik/alkanes_class_11_notes.pdfIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/canonical_ensemble.pdfIn PDF document text
    • https://s3.amazonaws.com/mibiwivanetuj/37594221965.pdfIn PDF document text
    • https://s3.amazonaws.com/bitizopovopaso/lokoxiguxepofop.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00008570.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8570 13484 bytes
SHA-256: 113a8c9d5ba8d9a281828fa92d24a3d9713deea8cc086e2978641a2525986fb3
font_00_sfnt_off0000742f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x742F 5060 bytes
SHA-256: cfc1d07c8263cc3dc23930726a3c2a78ff1b3f83bd66b49639701633a5f6cd19
font_02_sfnt_off0000aa90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAA90 10400 bytes
SHA-256: be2a3b32182733491b664f19ed4557b3e2f78b2be2e7510562781fe699799698
font_03_sfnt_off0000cdb0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCDB0 16068 bytes
SHA-256: 5d72d630640305d452d914085fd6c65e0d8125198bed8028c282d44fd0327be8

Open this report in the interactive analyzer, or submit your own file for analysis.