Malicious PDF — malware analysis report

Static analysis result for SHA-256 a356901980197ebd…

MALICIOUS

PDF

43.3 KB Created: 2020-10-27 11:24:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: ba01552160cc876e3643dc8c9e50fdbf SHA-1: 2f0ac4f77b343c926fb165f7f0271f113119f012 SHA-256: a356901980197ebd5f69cc0d0408bca3d6d2f88dc520be2aec8ecbf602c9066e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded links, many of which point to external resources, indicating a link farm or SEO manipulation tactic. One critical heuristic identified a link to known malicious redirector infrastructure, suggesting an attempt to lead users to harmful sites. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/pify?keyword=notre+dame+sakai+help In PDF document text
    • https://bibeliki.weebly.com/uploads/1/3/0/7/130738572/pekaberosevaji-navoxojulan.pdfIn PDF document text
    • https://topejaliwas.weebly.com/uploads/1/3/4/3/134305960/veravu_vimoxemoguwimom_bezipif_repijo.pdfIn PDF document text
    • https://fisizupesaxog.weebly.com/uploads/1/3/1/6/131636899/1288697.pdfIn PDF document text
    • https://pevugubak.weebly.com/uploads/1/3/2/7/132740457/zevoginagetutag.pdfIn PDF document text
    • https://narogigadi.weebly.com/uploads/1/3/0/8/130874066/c2099e721b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388282/normal_5f91235b86c4b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381102/normal_5f9256abdd63c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/leguvefu/ias_interview_questions_in_english.pdfIn PDF document text
    • https://s3.amazonaws.com/tetazino/bejisojobalutefewewa.pdfIn PDF document text
    • https://s3.amazonaws.com/novipaliwid/temperamento_y_caracter_psicologia.pdfIn PDF document text
    • https://s3.amazonaws.com/degisapemifa/business_analyst_interview_questions_and_answers_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/87efc38e-51ce-4e77-a343-e39a460d2c27/52037023494.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8c2db4fe-59fe-4b3c-a709-c6fdc08d566f/vibewirewivugubavuzubab.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9a6dd27d-21ae-4678-9a43-14b0611a26de/que_son_las_manualidades_y_artesanias.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e7b58224-def5-4286-9492-1f9ac18f7f0f/49019053692.pdfIn PDF document text
    • https://s3.amazonaws.com/vixuwogetiv/39077863685.pdfIn PDF document text
    • https://s3.amazonaws.com/vipinib/serinedokiranuvo.pdfIn PDF document text
    • https://s3.amazonaws.com/xukonakefules/wigem.pdfIn PDF document text
    • https://s3.amazonaws.com/defujo/types_of_bonding_chemistry.pdfIn PDF document text
    • https://s3.amazonaws.com/tizowodifi/53823613234.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2b1bc383-fd8c-4bf9-a187-a38a9db8e2f1/solo_a_star_wars_story_ultimate_visual_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9fb97e53-ce30-47e9-97ff-d9d78c9ac922/7700720780.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/23019b4f-9246-493f-ae11-9473219ac3c4/woxabopugejofozetazivuxuz.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b46.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6B46 5232 bytes
SHA-256: 545693e50c2a99250710a60d0f10481a7834fff30ee91bc887f6bb85a6cfa6b0
font_01_sfnt_off00007cec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7CEC 10224 bytes
SHA-256: ff3f79616933a0f5518770f8a6afef2133cab479613958930658be0811183c58

Open this report in the interactive analyzer, or submit your own file for analysis.