Malicious PDF — malware analysis report

Static analysis result for SHA-256 7213be0e79c4c137…

MALICIOUS

PDF

45.9 KB Created: 2020-09-18 17:36:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 30359fcfc5fe6c4b77a7bb9cb6ea36ba SHA-1: 6df92ff641d7809e5433a37b756298083600bd13 SHA-256: 7213be0e79c4c1377db3fafe39a09e296949cd05e4821f4306899f3ca2334e92
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded links, many of which point to known redirector infrastructure and disposable hosting, indicating a link farm designed for SEO manipulation or malicious redirection. The ML classifier strongly flagged this PDF as malicious. The presence of a redirector URL suggests an attempt to lead the user to a malicious site, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=mangold+property+management+monterey+ca+93940
    • http://kerojuw.methodgallery.com/uploads/1/3/1/3/131381886/7678026.pdf
    • http://files.tranceformlife.co.uk/uploads/1/3/1/3/131379506/savuzisepubuf_puxene_kegamuseziru_lerekagizetake.pdf
    • http://newaton.parksideict.com/uploads/1/3/0/7/130775491/bidixoxena_pofusifuguzoxu_wurisazalepadu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0429/6278/0311/files/70100574450.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/42479515564.pdf
    • https://3c7abd34-b201-4faf-baff-a08690adf7a3.filesusr.com/ugd/ca847e_35379e4a47ea46f1b7794fccbc15b4c3.pdf?index=true
    • https://da496521-e41f-4e73-a7da-f7cbfa59e416.filesusr.com/ugd/5bb01c_8823967782a641b3937bf96ef493231b.pdf?index=true
    • https://af6875e7-dfd2-4e4a-a586-41588f25ac3b.filesusr.com/ugd/1e557c_7b1297e048a54601bbc64c151afd6851.pdf?index=true
    • https://9a79c829-9a29-4148-9048-44ad29b5cee5.filesusr.com/ugd/314c35_89cdd9025f2c463e8fc8b0b666881177.pdf?index=true
    • https://cfce2859-0027-4a53-b7d7-e4660fe826a3.filesusr.com/ugd/ee9d3f_fc31aa3e78ea40ab8283eb1e27f0782d.pdf?index=true
    • https://77014dc6-7f10-4f97-b341-621b98370813.filesusr.com/ugd/9c43ec_2db5af5e1b6740e190fcfe9956b28228.pdf?index=true
    • https://abf3813e-edb3-4066-9d5e-0c24f3bf29a3.filesusr.com/ugd/3724a2_f39e90d9677545f386e1c3687de28d8a.pdf?index=true
    • https://4ae9076e-a445-4741-9c85-55a73024a4fe.filesusr.com/ugd/5b9a87_a07876f6219b49a49bea79def1016a8b.pdf?index=true
    • https://dd5f0d95-4545-43a4-bbd7-a679043627fe.filesusr.com/ugd/01e791_6b72986b82404323b74149f7093d39a2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000709a.bin
8d2c18f222ae994fed6cc20d503cfecc3e594b2448ba70d0ad886e16191a01fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x709A 5872 bytes
font_01_sfnt_off000084a4.bin
97e85f7e950ba283d740e15fdbef7420f8d83d2c7a3408190cdfc7d4b0c99fb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84A4 10648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.