Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ec026f261bfd04b…

MALICIOUS

PDF

34.7 KB Created: 2020-11-08 11:40:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 187493791077c953632e35bcf58df1ce SHA-1: e02b07f10b02f4f66adcc49cb5929712e08273c0 SHA-256: 9ec026f261bfd04b4a4f98f638e682d595fd065a872767e45ce51241cbd42367
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, many of which point to PDF files hosted on file-sharing services. The primary URL, 'https://traffset.ru/aws?keyword=squeeze+theorem+worksheet+and+answers', suggests a lure to a website that likely hosts malicious content or phishing pages. The heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a link farm, a common tactic for SEO manipulation or distributing malicious content. No scripts were extracted, but the presence of numerous external links and the ML classifier's high confidence score suggest a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?keyword=squeeze+theorem+worksheet+and+answers
    • https://rurevudo.weebly.com/uploads/1/3/4/2/134265418/e0ca8fa0bb3.pdf
    • https://dudazesulibo.weebly.com/uploads/1/3/4/6/134639231/2388621.pdf
    • https://nixejinalir.weebly.com/uploads/1/3/4/3/134321479/zakukorok.pdf
    • https://xedexebil.weebly.com/uploads/1/3/4/2/134235570/xekarokobi-vufitu.pdf
    • https://zagusopiv.weebly.com/uploads/1/3/4/2/134234894/sasivuvavuwud.pdf
    • https://bubixoduxufito.weebly.com/uploads/1/3/1/0/131070588/3911336.pdf
    • https://xifobosakup.weebly.com/uploads/1/3/2/8/132815359/negejenuxu_fubomudozapaxon.pdf
    • https://kufazijofiw.weebly.com/uploads/1/3/0/7/130776126/e6b139a6f594562.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://juvibix.files.wordpress.com/2020/11/wazasusegupaxusijip.pdf
    • https://zegegek.files.wordpress.com/2020/11/belajar_analisa_fundamental_saham.pdf
    • https://s3.amazonaws.com/kavitokolezub/wujavupajawewu.pdf
    • https://s3.amazonaws.com/dukexajuj/2276978656.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a54.bin
71452d2efe81c175d64cbe8f9297bb16dd1c6606c8dc3190d17a0088ad481f38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A54 5740 bytes
font_01_sfnt_off00006e35.bin
f308d512a3dd43c267bf673f262216f06422463e0b9b4f31f17e6c7012785ba8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E35 5468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.