Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3ac272731a5ddb6…

MALICIOUS

PDF

45.9 KB Created: 2020-02-26 14:49:41 Authoring application: PDF Studio First seen: 2021-05-23
MD5: a61a9e026e50df986a9a86771cdb273a SHA-1: 7bc903076b3a9c437e09522d13bd545000625bc9 SHA-256: a3ac272731a5ddb60d74ffaf5df911da5e4423964405485ff6b553e21d8c367e
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded links that redirect to known malicious infrastructure, specifically a URL associated with a link farm designed for SEO manipulation. The document body, though heavily obfuscated, contains a reference to the malicious URL, suggesting an attempt to trick users into downloading potentially harmful software. No scripts were extracted, but the presence of malicious redirector links is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9959

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?keyword=sd+card+recovery+pro+apk In PDF document text
    • https://cdn-cms.f-static.net/uploads/4385020/normal_5fa3d11dc8e40.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372384/normal_5f9531aa3ec35.pdfIn PDF document text
    • https://sipasegeremiraf.weebly.com/uploads/1/3/4/4/134404187/5893765.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391925/normal_5f9c33e58b1e9.pdfIn PDF document text
    • https://zuzagidebosoxe.weebly.com/uploads/1/3/4/3/134391670/1649937.pdfIn PDF document text
    • https://wefamojugibe.weebly.com/uploads/1/3/1/1/131164519/cfad1d.pdfIn PDF document text
    • https://mosodujisar.weebly.com/uploads/1/3/0/7/130739504/dazexaso-mumagikadadada.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/88d49f00-2021-461a-87ec-2204d304be98/kezutexowunan.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/83c9a357-0ae0-449a-b498-d35a211ac37d/81828426926.pdfIn PDF document text
    • https://zilexir.files.wordpress.com/2020/11/xujapufuwixewosuvem.pdfIn PDF document text
    • https://jarakapirapi.files.wordpress.com/2020/11/download_siri_for_android_phones.pdfIn PDF document text
    • https://zatejoru847961968.files.wordpress.com/2020/11/72489844693.pdfIn PDF document text
    • https://rotadenig.files.wordpress.com/2020/11/82236523173.pdfIn PDF document text
    • https://kunasowajuri.files.wordpress.com/2020/11/5821074228.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006239.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6239 5344 bytes
SHA-256: 6abf3417da8e7592176e523f5691ee87c007e350818e078d07f8a4986f59d033
font_01_sfnt_off000074eb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x74EB 5188 bytes
SHA-256: 852854e8fb564e8922a52e3777a9e2c09bdad636b321b3bf213bec63a72ba6f9
font_02_sfnt_off000086c1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x86C1 10624 bytes
SHA-256: 75b0d65eaf97537fddeb2d9fafc34c715fcefb56bc530ffa5644a792e564bc87
font_03_type1_off0000b21e.bin pdf-font-stream PDF embedded font (type1) at offset 0xB21E 74 bytes
SHA-256: 66e4520597a651f09ad8fe2af9ce002e2735d7ba5ff66d04fd92415068c6750b

Open this report in the interactive analyzer, or submit your own file for analysis.