Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ee9b8844c054991…

MALICIOUS

PDF

32.0 KB Created: 2020-10-26 21:26:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ed85169ed8835ee61c4b620dbd0abfc3 SHA-1: 3f1cccafbb25bb9d09cb15927d7effd76bf6a59c SHA-256: 9ee9b8844c0549915fe3db85fc04e732ae23a7413d4df1842690e5d2549ff733
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass of external links, masquerading as controller instructions, with one primary link identified as a malicious redirector. The ML classifier strongly indicated maliciousness, and the PDF structure itself suggests a link farm designed to distribute malicious content. No scripts were extracted, but the presence of numerous embedded URLs points to a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=afterglow+prismatic+wired+controller+instructions
    • https://cdn-cms.f-static.net/uploads/4369143/normal_5f8c428decc49.pdf
    • https://rowofijiguni.weebly.com/uploads/1/3/4/4/134479741/feweru.pdf
    • https://vuxopulifutimu.weebly.com/uploads/1/3/4/4/134450850/509c13924c.pdf
    • https://gimejexoxixaza.weebly.com/uploads/1/3/1/8/131872185/987b21c6b.pdf
    • https://gakuwalexutibok.weebly.com/uploads/1/3/4/3/134332976/71343b015c414.pdf
    • https://vapaniwagivu.weebly.com/uploads/1/3/4/4/134442769/dd5837e0b2904.pdf
    • https://cdn-cms.f-static.net/uploads/4366993/normal_5f8a526cae92d.pdf
    • https://cdn-cms.f-static.net/uploads/4366399/normal_5f8aa11de92d0.pdf
    • https://cdn-cms.f-static.net/uploads/4376359/normal_5f928fe47a200.pdf
    • https://gonerogad.weebly.com/uploads/1/3/1/4/131438616/5c35e9d.pdf
    • https://numibogag.weebly.com/uploads/1/3/4/3/134323011/776bb.pdf
    • https://gemenudotipetal.weebly.com/uploads/1/3/2/6/132695720/narobubo_nilaguvuzuvujeb_gomezu_fexogufuputat.pdf
    • https://gononazenikemad.weebly.com/uploads/1/3/4/4/134482012/3975642.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0497/5581/6090/files/55702406407.pdf
    • https://cdn.shopify.com/s/files/1/0266/8507/9739/files/nodulos_de_cuerdas_vocales.pdf
    • https://cdn.shopify.com/s/files/1/0499/8935/3622/files/lucky_patcher_apk_latest.pdf
    • https://cdn.shopify.com/s/files/1/0501/7603/2946/files/luluwularavu.pdf
    • https://cdn.shopify.com/s/files/1/0501/0469/6997/files/nanostation_m5_manual_configuration.pdf
    • https://cdn.shopify.com/s/files/1/0497/5978/1023/files/ejercicios_de_punto_de_equilibrio_financiero.pdf
    • https://cdn.shopify.com/s/files/1/0495/5232/6823/files/resident_evil_2_official_guide.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006917.bin
03cae406eb672ce64c71e56c9ca35e35280ad00e36a72dd7ce5a4fc0b5744e26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6917 5556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.