Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e4b8d3711de064a…

MALICIOUS

PDF

36.1 KB Created: 2020-11-09 07:09:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: 9fe6cc4fa4b1a36f8039af569342661d SHA-1: 484b63070a873da954563d28c64c232c5672a253 SHA-256: 7e4b8d3711de064a4942022b4d9ccf1a9e40911173a8865be9a2fc10e3a186cd
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, many pointing to disposable domains, indicating a link farm or SEO spam operation. One prominent URL, 'https://trafffe.ru/123?keyword=indoor+volleyball+courts+near+me+free', is directly embedded and likely serves as the primary lure. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent. No scripts were extracted, but the structure and embedded URLs suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/123?keyword=indoor+volleyball+courts+near+me+free PDF link annotation
    • https://mipirizu.weebly.com/uploads/1/3/2/6/132682564/bakedilajibejo-lapulo-dodovopizo.pdfIn PDF document text
    • https://dawerofe.weebly.com/uploads/1/3/4/3/134361643/6395393.pdfIn PDF document text
    • https://kekipefawaro.weebly.com/uploads/1/3/4/5/134588225/5008753.pdfIn PDF document text
    • https://safasisi.weebly.com/uploads/1/3/4/4/134472516/tipegerosadapuroti.pdfIn PDF document text
    • https://wikabolodaj.weebly.com/uploads/1/3/4/6/134648749/f8c35f3b95.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/3e5f9436-44ff-4b82-b6dd-ca771b77b8b8/download_adobe_premiere_pro_cracked_2018.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3e68fcdd-b826-4dfe-9e8a-07cb01a415e6/degopazukodavukogedolob.pdfIn PDF document text
    • https://zopovamodutu.files.wordpress.com/2020/11/45329342212.pdfIn PDF document text
    • https://nugokun704377897.files.wordpress.com/2020/11/harvey_balls_in_excel_sheet.pdfIn PDF document text
    • https://gawazufe.files.wordpress.com/2020/11/college_writing_skills_with_readings.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8753e191-21d7-43ef-841c-f3be471dd46b/munekuxorogoredefoj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2bc94aa9-7965-47db-bef0-bcd30530cd6c/bedasusunamifevanonit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1560901b-20c3-4094-b58a-2132838a7252/banamuwabikupuwenaduxi.pdfIn PDF document text
    • https://pifakimep.files.wordpress.com/2020/11/fododuxuxinoni.pdfIn PDF document text
    • https://monirasuwa.files.wordpress.com/2020/11/vutazobovabotekibo.pdfIn PDF document text
    • https://witizugab.files.wordpress.com/2020/11/fogelu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004bdb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4BDB 5404 bytes
SHA-256: 0532db3eb7a002cff310f745010408fb92f15200d11ab19ef937e912fd612a1b
font_01_sfnt_off00005e33.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5E33 11180 bytes
SHA-256: 6d9d5ffad1776630d0ba0306c33f05ea448db2b1d93e4d6df9b0686c38d0a7f5

Open this report in the interactive analyzer, or submit your own file for analysis.