Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f7799910eb95ea0…

MALICIOUS

PDF

51.6 KB Created: 2020-11-05 01:21:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58182b97de96d5a3b52484f381c594b8 SHA-1: 01e26d70227681cb473e42e9627214f3227e7187 SHA-256: 9f7799910eb95ea028b68200752527ab44bdec4b7f12801b22cf8f74c1480913
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to redirector infrastructure designed to lead users to malicious sites. The document body, though heavily obfuscated, contains a URL that appears to be part of a link farm, further supporting the lure to external content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=unblocked+games+66+bridge+builder
    • https://cdn-cms.f-static.net/uploads/4369328/normal_5f9ea3b5153ff.pdf
    • https://polabufasol.weebly.com/uploads/1/3/2/8/132814050/3e6fb2f07a7fab.pdf
    • https://cdn-cms.f-static.net/uploads/4374198/normal_5f9c7cb0d9262.pdf
    • https://cdn-cms.f-static.net/uploads/4402722/normal_5fa32f274bace.pdf
    • https://cdn-cms.f-static.net/uploads/4417123/normal_5fa051c84e110.pdf
    • https://cdn-cms.f-static.net/uploads/4408002/normal_5f94998b4cb6a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://s3.amazonaws.com/xifabilejilab/22606966105.pdf
    • https://s3.amazonaws.com/kavalukato/endless_war_8_hacked.pdf
    • https://s3.amazonaws.com/ragejufa/casio_ms-80te_battery_replacement.pdf
    • https://s3.amazonaws.com/wixanarer/wunukakufemaguraledur.pdf
    • https://cdn.shopify.com/s/files/1/0268/6998/9559/files/samewusesuvamen.pdf
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000842d.bin
1ab9c924562f98e1247f3b012364e9794392ecdee5301c00a2ff786957b887e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x842D 5608 bytes
font_01_sfnt_off00009720.bin
6984557ab1e16e01ecdeba9f6ac07205e858a0cc0bdd2a843c96e02aa682a672		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9720 17108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.