Malicious PDF — malware analysis report

Static analysis result for SHA-256 b95e1eaeccff9509…

MALICIOUS

PDF

39.8 KB Created: 2020-11-07 10:18:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 021a6473e6b23fad4b60678378634b3f SHA-1: b52c763bc6def5f2a392d21c70721f734d9d07ff SHA-256: b95e1eaeccff95097a578fc2487d5f12008f418c41db6fa5cfd5e7748da2e040
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded links, with one identified as a malicious redirector. The document body, though heavily obfuscated, contains text suggesting a lure related to a "Fairy doll tutorial" and includes the malicious URL. The presence of numerous external PDF links, many hosted on file-sharing services, further indicates a link farm or redirection strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=fairy+doll+tutorial In PDF document text
    • https://cdn-cms.f-static.net/uploads/4379613/normal_5f91e627ed15c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4460076/normal_5fa4aa05543cb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://wuzeluvaza.files.wordpress.com/2020/11/veburorarokotujegiv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c4a6464-10c6-43ad-bf35-c81671380a1c/25677723273.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2c37564f-0689-4a6d-9938-2132ecfd1477/dowuwavojosefejaperubemo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b2777fa3-254a-4ae1-9242-017cb5b69435/nawotimasolepoto.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/700c3f54-4cb2-460e-b6e0-3da32469b379/grow_tents_for_marijuana_kit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fee37ce1-ea47-4ab7-9680-5f3f700dd14d/morning_headaches_icd_10_code.pdfIn PDF document text
    • https://romekelisefo.files.wordpress.com/2020/11/nitunawikudaremutujozudok.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d152369c-04b1-483f-b53b-0b2d49b9061a/47821173142.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bb90e174-abf4-4e28-b7ca-e0d388b5ea98/concerto_d_aranjuez_piano.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ee1974b2-9fc0-449e-9091-7e0d527879dc/robodaxerugapiloxu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5fc086b2-518c-49ad-bcf9-b620f6eb3dab/25462763706.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fa2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5FA2 4696 bytes
SHA-256: bc394c609f030322bd1ec84eb585a9ddba3797ebbb9cf76dda5fb64c970b27e1
font_01_sfnt_off00006fb3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6FB3 10220 bytes
SHA-256: af59a6dd66e1673364463b0c2b865e3fdae17bfb0a15fe037ac6ce7cb92f85ce