Malicious PDF — malware analysis report

Static analysis result for SHA-256 a39c44b5ab5674dc…

MALICIOUS

PDF

53.1 KB Created: 2020-10-09 00:04:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 886cb19b3079913573b979c31bd41591 SHA-1: 4bbf07886b684da9990ad89d8d7867a6034eff74 SHA-256: a39c44b5ab5674dc96b7231fa9ddd598f1d84ef0c88391ae6acb56b8bfe0ae0e
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one identified as a known malicious redirector. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'Amorous adventures skyrim guide'. The presence of a link farm on disposable hosting and a critical heuristic firing for malicious redirector links strongly suggests a phishing or malware distribution attempt. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=amorous+adventures+skyrim+guide In PDF document text
    • https://site-1038460.mozfiles.com/files/1038460/tilulogeja.pdfIn PDF document text
    • https://site-1039828.mozfiles.com/files/1039828/bisevudud.pdfIn PDF document text
    • https://site-1044115.mozfiles.com/files/1044115/dujifagukifubibajoli.pdfIn PDF document text
    • https://site-1039437.mozfiles.com/files/1039437/67422132679.pdfIn PDF document text
    • https://site-1037069.mozfiles.com/files/1037069/25925991231.pdfIn PDF document text
    • https://site-1043262.mozfiles.com/files/1043262/29421271935.pdfIn PDF document text
    • https://site-1042888.mozfiles.com/files/1042888/kewilikudadeb.pdfIn PDF document text
    • https://site-1043033.mozfiles.com/files/1043033/16406909442.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/cda0a12e-15ab-47c1-b1d1-e86bb412d665/93255027456.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3501a4e7-20e4-42fa-925f-5939a0c8bdfe/86495091899.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/76943ea9-aa42-4e3a-8781-c75282432cee/nezarevu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ce5e94e-138a-4a27-a3da-c815352d679c/barutizugekusepikug.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ee1817a-1f3c-4ab9-afe2-b9620ef881c9/fumowesotidabiteg.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/3953/4503/files/28581654043.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/8327/7491/files/red_demon_eye_contacts.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0430/1075/2663/files/dawasojuxaxavavanuvopa.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/0513/2456/files/wii_system_price_walmart.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000afb3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAFB3 5212 bytes
SHA-256: 8db918070026f8a4aa7a292e1c2b7924bf7c9b81e9e750b6b14366c5dde5f871