Malicious PDF — malware analysis report

Static analysis result for SHA-256 b172005e494bb525…

MALICIOUS

PDF

47.9 KB Created: 2020-10-27 13:19:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 340afe86a84cf41a1f09e085ac04bf75 SHA-1: 2cbcc2d6d04e4ba94d1f02d4cce2d7d566fcd7fa SHA-256: b172005e494bb525f6c508ab2726e99cee9b8ed7170233145a655fd69c8a448d
154 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded URLs that point to a known malicious redirector, suggesting an attempt to lead the user to a malicious site. The heuristic 'PDF_SEO_LINK_FARM' indicates the document is designed to host numerous external links, likely for SEO manipulation or to obscure the malicious destination. While no scripts were directly extracted, the PDF structure and embedded URLs are indicative of a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=iaito+dark+souls+3 In PDF document text
    • https://cdn-cms.f-static.net/uploads/4413239/normal_5f977e4813684.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386080/normal_5f8e8d6dba573.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393041/normal_5f8f528df3383.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366028/normal_5f8722e14cf9c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4390660/normal_5f8db82bc5f5b.pdfIn PDF document text
    • https://nudojafobedem.weebly.com/uploads/1/3/1/3/131379550/676684.pdfIn PDF document text
    • https://vadurevagide.weebly.com/uploads/1/3/3/9/133999829/464edd59ed0caa6.pdfIn PDF document text
    • https://texitanoz.weebly.com/uploads/1/3/0/7/130739996/35d1cd.pdfIn PDF document text
    • https://sitizoxibe.weebly.com/uploads/1/3/4/3/134317871/91a91a27.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/24c19610-5b37-4cff-8921-55356896a0a9/71093066245.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3f388d6c-d21b-4a37-892a-ed694297d0ab/90949260208.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5983d433-9712-494f-a212-cb2efc494628/superfighters_deluxe_download_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/54ea399e-ead6-4b39-82c6-8f177bcfc5d2/reponaroro.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2fa75ad7-2590-4234-85b8-b21cd4922ebe/perozutotomu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8b34c489-2fc3-4fd4-a27f-1fab5cd68c06/xabawobi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e9e2b4d-2a7b-4972-8035-4974702f2111/problemas_de_areas_y_perimetros_1_eso.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c4d06f08-6331-40c8-b390-e9fbe877647f/25625337272.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/3589/7251/files/amc_10a_2020_scores.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0496/5321/9479/files/wudumebizaweper.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000979e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x979E 17568 bytes
SHA-256: 2bd0147e7c8e1408a7f4ba117bdb93f834fe13d7cb33743b168ca1ff6fc91103
font_00_sfnt_off000061cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x61CB 4984 bytes
SHA-256: eec9869adf75a005196c8372d94d76beb84c77441757ef154071c266f925ae60
font_01_sfnt_off000072c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x72C7 10940 bytes
SHA-256: 60e4281bf87fe58384bf950c86127bb487b3ff16f2ccd1c5b14c6d7b7f01741a

Open this report in the interactive analyzer, or submit your own file for analysis.