Malicious PDF — malware analysis report

Static analysis result for SHA-256 751bf24fd0639e2d…

MALICIOUS

PDF

46.3 KB Created: 2020-10-09 10:53:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: a103d347e2f96bf154ebdb27db8a31e3 SHA-1: d733f87dfee3d7aabae0635683931bd8891b3046 SHA-256: 751bf24fd0639e2dc99b5e93d1c3ff8617968b113ab6c2b8b9effb1c58d4e1fc
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links that redirect to a malicious URL, identified by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The ML classifier also flagged the document as malicious with high confidence. The document body, though heavily obfuscated, contains a URL that appears to be part of a link farm designed to manipulate search engine results, as indicated by the PDF_SEO_LINK_FARM heuristic. The presence of embedded URLs and the redirection to a known malicious domain suggest an attempt to lead the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=honeywell+ms9520+manual+pdf In PDF document text
    • http://files.fantasydraftkit.net/uploads/1/3/2/3/132302857/tutugobe-jujopif-mopuvi-zulabalinum.pdfIn PDF document text
    • http://files.iowaiova.com/uploads/1/3/0/8/130814669/8263128.pdfIn PDF document text
    • http://files.drandrewgoldberg.com/uploads/1/3/1/6/131606603/724ad9da.pdfIn PDF document text
    • http://gewanokak.streetlynxshop.com/uploads/1/3/0/7/130738870/kadifo.pdfIn PDF document text
    • http://kepumuku.westfieldkennels.co.nz/uploads/1/3/0/7/130738731/burivijetirapu_wuseluf_mizefitux_kufemipip.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b0d84464-bc1b-403c-988e-61251c01bd57/43623651072.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01bdb11b-0ffd-491d-b2c0-a4ecaae75938/90726927159.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ed529054-9a09-4ad1-b8be-cff65ef848c3/bavipisurevuw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/887fcccc-8f03-4b34-94fd-f601be2823a3/jixezobibep.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/3240/2850/files/superuser_pro_apk_root.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/4190/7100/files/554399772.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0482/1742/4024/files/masterclass_premium_cookware.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/4745/1286/files/katukipufanumatefonoze.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0436/9884/7894/files/consolidated_property_management_redondo_beach.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a60df58-863e-4198-bc90-f062e8339d14/47757453423.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ae6cf05-82be-4fb7-9d20-c8f8095709d9/1921235041.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ba3abd3a-0550-44ed-b86b-0e6d0eacf787/50550264085.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4dccdcff-cf7b-43f1-8ffc-8b63671218c5/goxagekeja.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30b448b3-98d0-44c9-a8e2-096f714d20fa/togopizitoruwofibep.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007457.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7457 5800 bytes
SHA-256: 12a9c423b674ad41a3db0e4c52f125cdef3c62cddf9029544cf1daa5cbf8b3b8
font_01_sfnt_off0000881e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x881E 10656 bytes
SHA-256: 52a1563b231bd38c9f9f0c58921d4e53f2a9c770a70bcee2a706a7bba36f172f

Open this report in the interactive analyzer, or submit your own file for analysis.