Malicious PDF — malware analysis report

Static analysis result for SHA-256 d056be6005832dd0…

MALICIOUS

PDF

66.6 KB Created: 2021-01-06 19:30:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 297a83802e5288fc10e19b5712e1c888 SHA-1: 2f709868e4da4b258193ab5c348840f689b937f1 SHA-256: d056be6005832dd018a19dad0725f8cbab2ea8998c89c2b6f672651886fc0c0a
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document functions as a link farm and SEO redirector, aiming to trick users into downloading files. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, and 'PDF_SEO_UTM_REDIRECTOR_LINK' specifically points to a free-download phishing lure. The embedded URLs, such as 'https://traffset.ru/aws?utm_term=youth+by+daughter+piano+sheet+music', are likely used to funnel victims to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8523

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=youth+by+daughter+piano+sheet+music PDF link annotation
    • https://cdn.sqhk.co/sorubajuzoxe/hdgecge/vikings_the_game_ps4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446030/normal_5f9e2ae765200.pdfIn PDF document text
    • https://cdn.sqhk.co/dodiniwotud/T13pPPO/citb_toolbox_talks.pdfIn PDF document text
    • https://cdn.sqhk.co/kupulifip/ieif9jd/halloween_decorations_indoor_party.pdfIn PDF document text
    • https://pojuzalik.weebly.com/uploads/1/3/4/2/134235388/4017155.pdfIn PDF document text
    • https://cdn.sqhk.co/nutanujel/owmiahh/pokemon_xy_tv_show_episode_1.pdfIn PDF document text
    • https://cdn.sqhk.co/waderapal/jthghfO/jaxipapokabo.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4528260/normal_5fdef258a241b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d027398c-a39d-463a-93e1-37b74e807533/10593076859.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a388cb3b-c9fd-40f6-85b2-072d9a5f8b12/42577741374.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/486e4009-9dbb-46c5-80c4-bab43a477257/death_invasion_survival_mod_apk_unlimited_money.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF7F2 5656 bytes
SHA-256: 230dc0e4d4771525cc3c2fc119cf2329360137679cbdf1050689ac573b3424ce