Malicious PDF — malware analysis report

Static analysis result for SHA-256 cacf1a02341dd8b1…

MALICIOUS

PDF

69.9 KB Created: 2020-11-06 05:39:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 41be572b2304dbc3cf81a9ed9bb12023 SHA-1: 9658833670b5d56cf8befdb59de0876b972a2e5e SHA-256: cacf1a02341dd8b1cd6d3b9addc90f93d8ed8290ba871997a3f50f26146b64ce
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?keyword=segment+addition+postulate+definition PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4379477/normal_5f9d344e8cefb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386620/normal_5fa2f2d77f2df.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412780/normal_5f9c1bb3e771e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407664/normal_5f9e1303da17f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393632/normal_5fa06bb964347.pdfIn PDF document text
    • https://xuvakaxatal.weebly.com/uploads/1/3/1/0/131070170/ffecf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378390/normal_5f97f9567a82b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366011/normal_5f89e0b09f9ab.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4458628/normal_5fa4be3a95e56.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417526/normal_5f9a14b42e95c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://cdn.shopify.com/s/files/1/0486/5520/4520/files/29326213629.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/23925ff9-8ae4-4e21-abe1-4703f022291c/zebazebap.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/9531/7403/files/3921741818.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0895bcf9-cac8-48fe-8064-0d1932e37472/simcity_5_download_free_full_version_pc_game_crack_razor1911.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e00.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5E00 5684 bytes
SHA-256: b860fb277252ee9b20429d811032d938c2d219a75430a49174b6e9a82640b652
font_01_sfnt_off000071dd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x71DD 5368 bytes
SHA-256: 2e9911d13fd149b368f70f85a6316d785a1fe2492fd244875decb9d12247b965
font_02_sfnt_off0000840d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x840D 2656 bytes
SHA-256: c206ac4eca120f096112d408dff6b33a2f721090936d80486df636e1cd240fde
font_03_sfnt_off00008f13.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8F13 2328 bytes
SHA-256: 3702365b3034b9d7945da23b991b5e2ac3f8bb06d1ba3be7e5ba1b5d8dd48c9f
font_04_sfnt_off000099ca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x99CA 2108 bytes
SHA-256: e66bd646ff29f48b94a898642357a1d5295b77faffa0bd70eb77acb4aebc9a97
font_05_sfnt_off0000a396.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA396 6640 bytes
SHA-256: eca62b72654736461a635ba366d09d794777fd95c58152d2b251becdfce657e0
font_06_sfnt_off0000b533.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB533 15348 bytes
SHA-256: 67fbe7b2dbb52ff57be0bb31a1bf684dce73e9a9a3a69c7a348c9208c5919e58
font_07_sfnt_off0000e406.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE406 16652 bytes
SHA-256: f621a650ce5612d7d34ad4a305dc081f92462961aba061ec77ea3a57534fcaa4
font_08_sfnt_off0000fb35.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB35 3276 bytes
SHA-256: 51c1d5fa29146058fbc649eac7766b85490f6942bd67486bd14cc46e9087474c