Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8719e919be4ab25…

MALICIOUS

PDF

73.1 KB Created: 2020-09-30 00:30:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: a5b7ddc70b91ed26107005524b2d0c8f SHA-1: 9e8c507d1afc17b1ef1feddaed6cec613483a8be SHA-256: a8719e919be4ab25834cd8edddf6d4327af86b1f69ed4429863997b699df323d
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file contains a large number of embedded links, many of which point to disposable hosting and redirector infrastructure. The primary malicious URL identified is https://ggtraff.ru/strik?keyword=history+of+badminton+rules+and+regulations+pdf, which is flagged as a malicious redirector. The document's structure and content suggest it is designed to lure users into clicking these links, likely leading to further malicious activity or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9955

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=history+of+badminton+rules+and+regulations+pdf In PDF document text
    • http://files.aaugymnasticsnationals.com/uploads/1/3/1/4/131453214/1163374.pdfIn PDF document text
    • http://gukose.sjkim-tkd.com/uploads/1/3/1/6/131637308/betuburagisebiw.pdfIn PDF document text
    • http://burunur.leedsnorthdakota.com/uploads/1/3/0/7/130776246/6474064.pdfIn PDF document text
    • http://gusapub.shullsburgumc.com/uploads/1/3/2/6/132682787/00b183602d7a02d.pdfIn PDF document text
    • http://files.rkuclip.com/uploads/1/3/1/4/131437370/zanutema_bomagen_tezokede_rasal.pdfIn PDF document text
    • http://files.ydlwithchristinasever.com/uploads/1/3/2/7/132712080/7980369.pdfIn PDF document text
    • https://site-1037115.mozfiles.com/files/1037115/54205432678.pdfIn PDF document text
    • https://site-1036651.mozfiles.com/files/1036651/nusorideno.pdfIn PDF document text
    • https://site-1036728.mozfiles.com/files/1036728/7114008047.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/4748e1c1-ff2b-439a-86df-37653d1ecf32/puvena.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26f5aa47-685f-44bf-964b-25f376b7556b/95325222972.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xECEF 5564 bytes
SHA-256: 47849af78e58bc3edf98a1e93294b3b6fc0855a8cd7f843f6c46d5e63df8240f
font_01_sfnt_off0000ffc8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFC8 10312 bytes
SHA-256: 4b6f2134d5f96c26249fdca18ad74587bb34aa28fbd347c3ed582d7702bec7be