Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3d44afbe4be1806…

MALICIOUS

PDF

50.0 KB Created: 2020-10-26 18:41:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21f52ddd9fb70e28ee303aeadcf2646e SHA-1: 9be60ef0333a15a97a3b0b2af571bce0c7cd4b56 SHA-256: a3d44afbe4be180607394b9952a2474ba3778da62d561a91e7a3f855f42e2cbd
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded links, many of which point to a link farm designed to redirect users to malicious content. The primary malicious URL identified is https://ggtraff.ru/strik?keyword=authors+of+the+books+of+the+bible+pdf, which is flagged as a known malicious redirector. The document's structure and content suggest an attempt to lure users into clicking these links, likely leading to further malicious downloads or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=authors+of+the+books+of+the+bible+pdf
    • https://dumunevebule.weebly.com/uploads/1/3/0/8/130874169/3560493.pdf
    • https://soxajenukaru.weebly.com/uploads/1/3/0/8/130874283/5565442.pdf
    • https://lokixesope.weebly.com/uploads/1/3/1/6/131607163/pajefeketimivazo.pdf
    • https://bilewazivabo.weebly.com/uploads/1/3/2/8/132816117/338325.pdf
    • https://zawiferodabubap.weebly.com/uploads/1/3/4/4/134447725/vepekikive_somosesorolalol_vavafuxedivika.pdf
    • https://kurikezexiwu.weebly.com/uploads/1/3/0/7/130775092/rokolokino.pdf
    • https://penopetidurip.weebly.com/uploads/1/3/2/8/132815040/3299226.pdf
    • https://vutizimowunofe.weebly.com/uploads/1/3/4/3/134354130/ded14.pdf
    • https://nakumupapetiz.weebly.com/uploads/1/3/2/7/132741615/4873dc2d65f15.pdf
    • https://fakimodixoto.weebly.com/uploads/1/3/0/7/130739088/zolisevegumadop.pdf
    • https://bizumoku.weebly.com/uploads/1/3/2/6/132681494/9274324.pdf
    • https://genigudepa.weebly.com/uploads/1/3/1/0/131070712/runemevurexuziwone.pdf
    • https://donodofi.weebly.com/uploads/1/3/1/8/131856097/3177788.pdf
    • https://xifobosakup.weebly.com/uploads/1/3/2/8/132815359/250361.pdf
    • https://buliduxefexefux.weebly.com/uploads/1/3/1/6/131636978/jepenisobatidumogoja.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/accd12de-f4b0-496c-8781-6b038dd1d283/fozopuwakanisu.pdf
    • https://uploads.strikinglycdn.com/files/5f27b935-116d-475c-8a88-abdfa02e257c/gimebijebuxugujizet.pdf
    • https://uploads.strikinglycdn.com/files/8f869f12-3084-4cd2-b444-23e5e1582b89/ruwiwogepuvoderuzib.pdf
    • https://uploads.strikinglycdn.com/files/ecc150d0-f6fc-4590-89f6-b52a16c2cd38/godzilla_unleashed_mods.pdf
    • https://uploads.strikinglycdn.com/files/4f3a8a8c-a452-470a-8e73-3664b114ce2f/noseloxiredibarinaseragu.pdf
    • https://uploads.strikinglycdn.com/files/9601fa58-1b22-4d07-940b-ea0f1b2b751e/swing_time_zadie_smith_free_down.pdf
    • https://uploads.strikinglycdn.com/files/accc5319-0042-4e03-aa5b-d82f1b377852/tamoroxaban.pdf
    • https://uploads.strikinglycdn.com/files/8d60facd-be48-4237-b354-d535996c79ea/48259739399.pdf
    • https://uploads.strikinglycdn.com/files/2ace561d-d0d3-45e2-91d6-24c6ac1b8ae2/neramuf.pdf
    • https://uploads.strikinglycdn.com/files/c68cdc55-58aa-4100-aa5f-b3c0f542a1b4/fatuwuxigenodedokosup.pdf
    • https://uploads.strikinglycdn.com/files/dcd6cd00-1c69-408c-b48f-7742f3de2d02/nxt_soccer_robot_building_instructions.pdf
    • https://uploads.strikinglycdn.com/files/bdc657a7-47f1-4ea4-ab8b-7dfaa8e43f03/23541485129.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007659.bin
a7412cdb281d526a389d6ae29f30e889fefdf0c48272585d8044277dbaea7f4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7659 4888 bytes
font_01_sfnt_off00008705.bin
fa855e4b6a4e5c211d18f4f90cde1b0881d8e65773d72b74847fc9471c0f83e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8705 10672 bytes
font_02_sfnt_off0000ab8e.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB8E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.