Malicious PDF — malware analysis report

Static analysis result for SHA-256 736702a7a378666d…

MALICIOUS

PDF

124.6 KB Created: 2020-11-04 12:46:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 63f6e92d10a55e96b51f54fa8ba67cea SHA-1: 2414632a4352b0b3557948b95336d81065619c39 SHA-256: 736702a7a378666d0161906d993f852e598c4f0a552604177a05fabdd18cc490
220 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains numerous embedded links, with a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK pointing to 'https://ggtraff.ru/strik?keyword=1040+ez+form+2018+printable+irs.gov'. This, combined with the PDF_SEO_LINK_FARM heuristic, indicates a likely phishing or scam attempt using a fake IRS form lure to drive traffic to malicious infrastructure. The ML_NYX_PDF_MALICIOUS flag further supports the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=1040+ez+form+2018+printable+irs.gov In PDF document text
    • https://buveziketi.weebly.com/uploads/1/3/1/3/131398526/fovubukoduved-mekur-vasazilivapuxok-bavukatajimoje.pdfIn PDF document text
    • https://fupiloxeti.weebly.com/uploads/1/3/4/3/134380404/4473640.pdfIn PDF document text
    • https://dimaxafazeza.weebly.com/uploads/1/3/1/4/131453031/8767144.pdfIn PDF document text
    • https://zoxuzuxebexot.weebly.com/uploads/1/3/0/9/130969059/93049f265a0000.pdfIn PDF document text
    • https://vonubaxuted.weebly.com/uploads/1/3/1/4/131452839/23a0c7580a1aa.pdfIn PDF document text
    • https://varipejat.weebly.com/uploads/1/3/0/7/130739080/9331163.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/panalipolifod/relapapegosoxidojo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2932aaae-d0a2-414f-a91a-3a2a46e47556/pepuwiseviremivejoguv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/43f62e72-86cd-4cf5-8bd9-8db9c1e95099/28169513990.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee2c15c6-9857-4dcf-828b-642c5805e658/hubbard_vector_calculus_5th_edition.pdfIn PDF document text
    • https://s3.amazonaws.com/davolazupivowi/minecraft_nitwit_villager_breeding.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee8ff2a8-8b45-4407-bcdf-fbcd39631adf/labyrinth_of_solitude.pdfIn PDF document text
    • https://s3.amazonaws.com/tamobalasu/nutrition_facts_for_taco_bell_beef_chalupa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/925a660c-dd2d-453e-9261-24a3a5084db1/74339456385.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d635de61-0aad-4f4a-8591-f656228eb0cb/the_cherry_orchard_by_anton_chekhov.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001a8c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A8C9 6016 bytes
SHA-256: a81ebcbb605e72a89610f8315c4d0ee4946092309b6803cc3e02ffcad3f2bcbb
font_01_sfnt_off0001bd48.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1BD48 11616 bytes
SHA-256: 851951d065e22092c7a9de161e0696c021d9ba24adb376850fa6b8421c0aae66