Malicious PDF — malware analysis report

Static analysis result for SHA-256 862ee2d04b484b0c…

MALICIOUS

PDF

43.1 KB Created: 2020-11-02 16:24:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: bceff1f99e0272556f22fcd3ade6ffab SHA-1: 41d202f1ccebb4846d785cb18b3d31fdd45dc53e SHA-256: 862ee2d04b484b0c115b2d04f76d0033c7314b1419a58c1cfed83b4c7169a355
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file contains a large number of embedded links, many pointing to disposable hosting services and redirector infrastructure. The primary URL identified, https://ggtraff.ru/strik?keyword=who+is+luxury+pranks, is flagged as a known malicious redirector. The document's structure suggests it is designed to act as a link farm, potentially for SEO manipulation or to distribute further malicious payloads to unsuspecting users.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=who+is+luxury+pranks In PDF document text
    • https://dopuxaponaxu.weebly.com/uploads/1/3/2/6/132695391/vumepidizo.pdfIn PDF document text
    • https://zaroxirag.weebly.com/uploads/1/3/4/4/134457582/mifevotozu.pdfIn PDF document text
    • https://rikisuluwujufa.weebly.com/uploads/1/3/1/4/131452938/0682a18976.pdfIn PDF document text
    • https://jarapitoxedomel.weebly.com/uploads/1/3/1/4/131437170/b417ee487d7.pdfIn PDF document text
    • https://vixijusodu.weebly.com/uploads/1/3/0/7/130776714/pezozug.pdfIn PDF document text
    • https://fisotewefupug.weebly.com/uploads/1/3/1/0/131071176/6010244.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e5db9df-aac7-47d2-8e32-76b979cae4b8/4311825667.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d31e2113-0071-4db1-af37-1caa78c97335/ruxevobogadogumoki.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/3038/3272/files/application_lookout_pour_android.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/1018/1280/files/dissertation_chapters_uk.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/5265/2951/files/better_homes_and_gardens_azalea_ridge_3-piece_outdoor_bistro_set.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/6590/0695/files/yaesu_ft_8800r_review.pdfIn PDF document text
    • https://s3.amazonaws.com/wonoti/zegezimorotof.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/7922/8837/files/betek.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/1791/0465/files/42603031530.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006940.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6940 5152 bytes
SHA-256: 43b3b5d19aae66460c76fc9a636a3fd1a86604efc90d38d788140120376f9eb8
font_01_sfnt_off00007ad6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7AD6 10836 bytes
SHA-256: a9ed916e5df7a40b2f80a93513481f7fc26a62107f508f4f14e428735c734efb