Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3883acab21b65d5…

MALICIOUS

PDF

47.3 KB Created: 2020-10-30 20:08:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 062e0cf77a58e4eb6ec21679ee045c07 SHA-1: d9244b7c7a3cc686d5e57c136fa555238f43c4f6 SHA-256: b3883acab21b65d5b80166ced566d340cff79cd98cf1d135514c74523ab33245
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and routes users through malicious redirector infrastructure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=dga+rate+card In PDF document text
    • https://cdn-cms.f-static.net/uploads/4379217/normal_5f94f810bd88e.pdfIn PDF document text
    • https://medefanitinov.weebly.com/uploads/1/3/4/3/134386417/wigemotumile-diwesokepekir-gesagebewebe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366664/normal_5f875f2ab23b0.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/0b09be24-727c-4296-a7fd-b22b88223221/16547747845.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9e5bed14-727e-4eab-8b2a-69faa50c8875/14386028160.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0500/9424/4008/files/50241002850.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/2774/0827/files/ihss_application_los_angeles.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27825e76-9b07-4413-9db5-00a5d702a3f4/mowapogipuzawapajami.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b462f8b-0a88-42ac-8d65-f22cc539ad6f/5769679395.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d391a366-826d-4377-bd2b-1135683bb722/sememotezizuvepevolopi.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/9947/0018/files/kugokawi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db41c734-55da-40b0-ac67-cb03b8ae67ee/pofiloso.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d7970d19-2a65-4fb0-9b99-e3b8beb76031/bts_bon_voyage_eng_sub_online.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/afbad48a-deef-4dda-a974-6dc723e73cb8/tafefedanunaxunajopopam.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/9105/8070/files/douglass_student_center_summer_hours.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/9281/2974/files/vopivawomodonufadakej.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d36.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6D36 4420 bytes
SHA-256: 7c20a48ccfbc673dcfd06c44b0462c96f297c122c135dc2c7c39fcbea77e96af
font_01_sfnt_off00007c4a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7C4A 11252 bytes
SHA-256: 88b7dea001da7fda7c8780b72a87c4f204792adac2a5c7216671d6fe4d5b24d8
font_02_sfnt_off0000a28e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA28E 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2