Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d09e3fad7eddf74…

MALICIOUS

PDF

92.2 KB Created: 2020-10-31 02:29:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: aa1edbbbdc64dbc3fe03af391bd81394 SHA-1: 1dda266fc68f613524377a5f9d397c130e29e9ff SHA-256: 7d09e3fad7eddf743200cfc525d454a46c26a9a2f28527fc6a4c78f11deae075
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a critical heuristic firing for a malicious redirector link impersonating Microsoft, indicating a credential phishing attempt. It also contains a link farm heuristic, suggesting it's part of a larger SEO manipulation scheme. The embedded URL points to a redirector that likely leads to a malicious site or payload download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://fidevawane.weebly.com/uploads/1/3/0/8/130814252/4a8d5db.pdf.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/wb?keyword=factoring%20perfect%20square%20binomial%20worksheet In PDF document text
    • https://fidevawane.weebly.com/uploads/1/3/0/8/130814252/4a8d5db.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/vufuzewasi/section_20.4_electronic_devices_worksheet_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/dadupawo/51890142608.pdfIn PDF document text
    • https://s3.amazonaws.com/kawotexulozax/yiruma_easy_piano.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/898390fa-77ff-4483-9240-4603d164a2d6/65326798957.pdfIn PDF document text
    • https://s3.amazonaws.com/lanorolowu/riscos_ambientais_no_ambiente_de_trabalho.pdfIn PDF document text
    • https://s3.amazonaws.com/mijedusovineti/74822692297.pdfIn PDF document text
    • https://s3.amazonaws.com/mutirexa/catskills_hiking_map.pdfIn PDF document text
    • https://s3.amazonaws.com/jedaxopopuko/rotegud.pdfIn PDF document text
    • https://s3.amazonaws.com/gorajikunobixi/gopozoliz.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa4b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA4B 3384 bytes
SHA-256: e93ba6038b410302e1d7eaf9d9d8583c154568a49cd971aab5376f2569b2e4f3
font_01_sfnt_off000107a8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x107A8 5688 bytes
SHA-256: 099092e9caffc97e8c1b8d954ff13eafb5d5b1c439765bbf8c03b3fcd382ceb0
font_02_sfnt_off00011ae6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11AE6 10972 bytes
SHA-256: fd6fab9b7f1421eeefb848b8bc14044d212d46489336638e497b8f0bc48d6a7b
font_03_sfnt_off00013feb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13FEB 16084 bytes
SHA-256: 249651805b0a8f5b4743f17da7e3943b18be49f9c75a96c0f18a2f62b87e55bb
font_04_sfnt_off00015497.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15497 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2