Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d060ce7af3cfd1d…

MALICIOUS

PDF

36.3 KB Created: 2020-10-03 12:53:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: 6276aa943228885aa7ce2ad167da1353 SHA-1: bd7d1128aec6df16b9579aca59e652ad7c153168 SHA-256: 8d060ce7af3cfd1db584aca9bae53bd88b5c6d7e67c2590455c70c535bf6ab82
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file exhibits characteristics of a link farm designed to redirect users to malicious content. The presence of numerous embedded URLs, including a known malicious redirector, strongly suggests an attempt to lure victims to phishing or malware distribution sites. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/pify?keyword=maisto+assembly+line+cars In PDF document text
    • http://litebu.kariemsaleh.de/uploads/1/3/1/6/131637218/40682cf05c16.pdfIn PDF document text
    • http://files.lisachoustudio.com/uploads/1/3/1/4/131409621/kidudatoz_tamanusufenupep_jewifuw.pdfIn PDF document text
    • http://komor.javtv.com/uploads/1/3/0/7/130775288/8713125.pdfIn PDF document text
    • http://rejefoja.wivert.co.uk/uploads/1/3/1/4/131482952/mezaluvolodef.pdfIn PDF document text
    • https://site-1040244.mozfiles.com/files/1040244/25599574060.pdfIn PDF document text
    • https://site-1036872.mozfiles.com/files/1036872/80542825860.pdfIn PDF document text
    • https://site-1039002.mozfiles.com/files/1039002/70624022954.pdfIn PDF document text
    • https://site-1039777.mozfiles.com/files/1039777/munivajetam.pdfIn PDF document text
    • https://site-1039538.mozfiles.com/files/1039538/17536042295.pdfIn PDF document text
    • https://site-1037075.mozfiles.com/files/1037075/41553611519.pdfIn PDF document text
    • https://site-1037098.mozfiles.com/files/1037098/78108796580.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/a8d6fe85-87b2-4c98-8033-1b2528501c18/49645505838.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f94ca12-71b8-4f7b-8a5b-f11b695fe21b/juzodiposawekib.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c2f07c13-5c92-41e4-9042-af5161e05229/55856875659.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8083b4a-2f45-4475-98a5-859438312174/miralafodimapupoxixepop.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004539.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4539 4980 bytes
SHA-256: 64eba9653aed391151e73e6485d8d891ca6cbf5d1fa76bf4b8553deb6dbf31be
font_01_sfnt_off0000560f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x560F 9496 bytes
SHA-256: 9fc60a5fc129e8dbe456a41151d7ef497f9648c257b3a56f84a38d6a9ffa9e79
font_02_sfnt_off00007665.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7665 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333

Open this report in the interactive analyzer, or submit your own file for analysis.