Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bcddaf9262990ca…

MALICIOUS

PDF

40.8 KB Created: 2020-10-09 05:30:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 81e8b36983041eeef11189d2d79daf17 SHA-1: f48234988bc361fa9ca4925a5fa0752c65491a46 SHA-256: 8bcddaf9262990ca8f867092ffc83276ebfa7a665bdf7541cf795838ba24867a
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous embedded links designed to redirect users to various websites, including a known malicious redirector. The document body, though obfuscated, contains text related to 'empresas multinacionales' and the URL 'https://ggtraff.ru/pify?keyword=que+es+empresas+multinacionales', suggesting a lure for SEO spam or phishing. The ML classifier strongly indicated maliciousness, and the heuristic firings confirm the presence of a link farm on disposable hosting.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/pify?keyword=que+es+empresas+multinacionales In PDF document text
    • http://lukori.jayneamaraross.com/uploads/1/3/0/7/130775403/vivavidifi.pdfIn PDF document text
    • http://files.doubledragonkenpo.com/uploads/1/3/1/4/131437889/5771524.pdfIn PDF document text
    • http://bawudezaj.ojala.shop/uploads/1/3/0/7/130774979/medojekilep-fosuvufafixex-nuguvufe.pdfIn PDF document text
    • http://sadub.medeye.net/uploads/1/3/0/8/130873867/pafudiwuxulexomex.pdfIn PDF document text
    • http://kezenemif.pilgrimcamp.net/uploads/1/3/1/4/131438860/1e3016a60e85cd.pdfIn PDF document text
    • http://files.transmogrificationacademy.com/uploads/1/3/1/3/131384227/dasafabusewewaxo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d08e8a65-f02d-4065-a424-f0f736386766/852789083.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fe089e59-3c94-4c50-a115-2850f056599c/sovokiker.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6b4f7b1-0dee-44ed-9650-81d2cde53b11/luxila.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a6bad08-6806-46f6-8721-297daf177d21/23492417693.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/266e6b53-b0f5-415d-9257-49324516a0af/xumezatokexasukuxu.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/1049/0519/files/bamboo_back_scratcher_and_shoe_horn.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0477/5247/8876/files/wireless_rear_speaker_transmitter_kit.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/8596/3169/files/sample_landlord_letter_to_tenant_for_damages.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/9448/4147/files/sims_4_zodiac_challenge_base_game.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/0691/0887/files/45_45_90_triangle_side_rules.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000604d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x604D 5140 bytes
SHA-256: f951b2de4a87742e82b94fcba5572e87af85f0236e9f1cceff2506f4702dbcd6
font_01_sfnt_off000071aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x71AA 10752 bytes
SHA-256: 28a71966e87b4beeaf63bebd5843e8904c362c53e12809881b1d5d205af74a4f

Open this report in the interactive analyzer, or submit your own file for analysis.