Malicious PDF — malware analysis report

Static analysis result for SHA-256 b08cf42567527ce9…

MALICIOUS

PDF

46.8 KB Created: 2020-11-07 21:34:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf327cb031886bc5a927e11e9b1a99e0 SHA-1: cc8e9ec6e5237b88040b8e1f43479c4845c49786 SHA-256: b08cf42567527ce92088b9e20751641f8da71b75feba5f321b9518b433088d91
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded links, many pointing to external websites, indicating a link farm or SEO manipulation tactic. The document body, though heavily obfuscated, contains text related to a 'manual for cricut explore air 2' and includes URLs that are likely part of this scheme. The ML classifier and PDF link farm heuristics strongly suggest malicious intent, likely to drive traffic to malicious sites or distribute further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?keyword=manual+for+cricut+explore+air+2
    • https://povozunalurowub.weebly.com/uploads/1/3/4/6/134665666/zupew_jebidixawite.pdf
    • https://xinotojopafexiz.weebly.com/uploads/1/3/4/3/134316842/finimisevunere.pdf
    • https://dofidosuxemaxej.weebly.com/uploads/1/3/4/5/134595751/damogefudolezu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://sufuvuse.files.wordpress.com/2020/11/3074016501.pdf
    • https://jazefev.files.wordpress.com/2020/11/98505235657.pdf
    • https://s3.amazonaws.com/lopazura/la_luna_sangre_august_9.pdf
    • https://robedekoza.files.wordpress.com/2020/11/41703728180.pdf
    • https://nowagukow.files.wordpress.com/2020/11/diwazixatikemidadoxile.pdf
    • https://zatejoru847961968.files.wordpress.com/2020/11/72489844693.pdf
    • https://rigimep.files.wordpress.com/2020/11/71654823562.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000754d.bin
1b31032392939b18c1851b41f96043490c37ac0b430cc084bcbda6ec993ab446		 pdf-font-stream PDF embedded font (sfnt) at offset 0x754D 5036 bytes
font_01_sfnt_off00008698.bin
b997b28074b8a37f2b749707b903b475b2081aeab0f09c2b3d56c26428ed982b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8698 11376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.