Malicious PDF — malware analysis report

Static analysis result for SHA-256 c648f4974ee242d0…

MALICIOUS

PDF

49.5 KB Created: 2020-10-26 12:30:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 4764ec2dafccb708cf3be7c4da856483 SHA-1: 979ad02056e664b73f52a1f30941f6fc5b4e86a3 SHA-256: c648f4974ee242d0fd32b540ad435180a02bbd52af1d511af1ed5544ca6d5318
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded links, with a critical heuristic firing indicating it's a malicious redirector. One of the primary URLs, 'https://gettraff.ru/strik?keyword=windham+country+store', is flagged as malicious. The document body, though heavily obfuscated, also contains this URL, suggesting an attempt to lure users to malicious infrastructure. The presence of a large number of external links, including a link to 'https://uploads.strikinglycdn.com/files/3c13b31d-76ab-4032-9773-62113857f613/base_dect_livebox.pdf', further supports the link farm attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=windham+country+store In PDF document text
    • https://cdn-cms.f-static.net/uploads/4417997/normal_5f95942ced89e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377116/normal_5f925bc8a324f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373998/normal_5f8e8b5f9ef1a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366377/normal_5f873ca0a2010.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372967/normal_5f8a9e4a46672.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/3c13b31d-76ab-4032-9773-62113857f613/base_dect_livebox.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d20cd035-97e3-4097-9447-8b730b91a0b3/fojenulukofifab.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82c7154b-e0de-47f3-8541-4464c85994e5/xemulitodinipukifino.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c26c096e-5892-4f17-adaf-36d613106882/what_is_usb_type_c.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3694dc80-bbcf-4868-9c2e-adc2bf51acb6/dufapoxanopikot.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/864ca8fb-ba21-449e-a8ee-f40b6880d7e6/durafalasizobogeta.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3927c0c3-2df0-44cc-a102-968616f490aa/meluzufej.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/063a221c-d203-4a6f-b421-e5f1cf3edd51/stadtbibliothek_bad_pyrmont_findus.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/367676ec-f332-410c-b07a-4e22ebc6aeb8/wofewa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad0619e7-1846-45af-8d96-bb93e888bbff/vutapozemuvusetisuwevow.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/009c6c53-f119-4916-b0f1-175b0cdedfd7/91908329465.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0493/1108/8799/files/vetifejopejereji.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/6035/3429/files/temple_run_game_free_download_for_android.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x75A2 5144 bytes
SHA-256: 2116cb1a21d16b348b802f223304f86a4facd5a3688d47efbcdb8dc259545e7a
font_01_sfnt_off000086ef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x86EF 10356 bytes
SHA-256: 36fb7ef6e4fe94390c312903e5ccb7f6898c99196721567707f22712b7b211d2
font_02_sfnt_off0000aa63.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAA63 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3