Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0be7cf1b593c021…

MALICIOUS

PDF

43.2 KB Created: 2020-09-28 17:00:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 022ff09e303d67222a2cfa3504cea07d SHA-1: 796474ebed4b3222ac5ce2a5ee035e35f7fcda60 SHA-256: b0be7cf1b593c0216236fb30fefc38d118721a5cf6491910a1846a6b1a51baed
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links to external PDFs, many of which point to redirector infrastructure. The primary link, 'https://gettraff.ru/mozel?keyword=aimovig+package+insert+pdf', is identified as a malicious redirector. This suggests the document is designed to lure users into clicking malicious links, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/mozel?keyword=aimovig+package+insert+pdf
    • https://site-1036957.mozfiles.com/files/1036957/jikezewanu.pdf
    • https://site-1037054.mozfiles.com/files/1037054/duzeboravap.pdf
    • https://site-1036716.mozfiles.com/files/1036716/likebuburutenolidizerez.pdf
    • https://site-1036911.mozfiles.com/files/1036911/xokabakasuleru.pdf
    • https://site-1036898.mozfiles.com/files/1036898/mikanadenudukofuxa.pdf
    • https://site-1036698.mozfiles.com/files/1036698/barawakeduj.pdf
    • https://site-1037283.mozfiles.com/files/1037283/lomuz.pdf
    • https://site-1036743.mozfiles.com/files/1036743/duxubogadaputetubu.pdf
    • https://cdn.shopify.com/s/files/1/0429/2126/3271/files/xifadiwejezurilexokigim.pdf
    • https://cdn.shopify.com/s/files/1/0434/0521/3846/files/gukiwelavilin.pdf
    • https://cdn.shopify.com/s/files/1/0431/9841/5010/files/kejanoxunotata.pdf
    • https://cdn.shopify.com/s/files/1/0440/4169/9478/files/mupepomifananokegu.pdf
    • https://8c7ed240-5072-4bc7-b1ed-0bb8a238140b.filesusr.com/ugd/76e31d_eb8a52a2411d4e11be876c02d931a8e1.pdf?index=true
    • https://86c9de77-e3d6-4455-8c1a-ee0794339622.filesusr.com/ugd/51c472_f43d49040a83422eb625103598d62a66.pdf?index=true
    • https://2c175b09-2b2a-4f80-98ff-72bafbf3b58c.filesusr.com/ugd/cafc24_9918b415dc14499eb8a7efa173a48471.pdf?index=true
    • https://3d6dbcd1-02da-4413-82d1-039535b59ef1.filesusr.com/ugd/e1d12c_6e9e98dc92d44fa785a6f96d7e09ccaf.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069f9.bin
facf8c1d3e415e063fc8d3702b48d4f9205039e75da9e3b21d551763d31c0106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69F9 5556 bytes
font_01_sfnt_off00007cd9.bin
5fdb261f826b699f59bf27157dafdae681c922dee5d85ce64c7f264b9ed4a529		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CD9 10280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.