Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0abfbb61fa76055…

MALICIOUS

PDF

86.4 KB Created: 2020-11-03 05:13:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: d23c259bd5b9031695146c7b5830ebe6 SHA-1: 21a078c256768ef99d88555b23d5aa4e8b877fa2 SHA-256: d0abfbb61fa76055035938622b69488dcff2a8bb51b8fa2617b2dc399515f3bd
154 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and routes users through malicious redirector infrastructure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/123?keyword=lenny+faces+to+copy+and+paste In PDF document text
    • https://cdn-cms.f-static.net/uploads/4421352/normal_5f988356b6065.pdfIn PDF document text
    • https://nobinetezo.weebly.com/uploads/1/3/0/9/130969761/2f282aa5a56.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365594/normal_5f88b3fc39fde.pdfIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.thdl.org/http://www.thdl.org/TibetanIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://uploads.strikinglycdn.com/files/8c25ae86-3ef4-40f0-ba2c-f5dbf3984d5e/el_diccionario_frances_espanol.pdfIn PDF document text
    • https://s3.amazonaws.com/betefowubevat/11583910030.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c21b7456-2520-44da-81ec-506c837de034/guwazopikame.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/41458c3f-c81b-456a-b4ef-00e10947e63f/nodori.pdfIn PDF document text
    • https://s3.amazonaws.com/tetenifeme/lajelaw.pdfIn PDF document text
    • https://s3.amazonaws.com/nilafafakem/asko_dishwasher_d5434_repair_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/gotenukevepunin/19727014843.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/96368b0a-a9c0-42c3-a504-3145d039adb7/how_to_clean_keurig_2._0.pdfIn PDF document text
    • https://s3.amazonaws.com/dugibabafod/virorakexereg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a5afa92-bb50-43ac-a672-43d89b83fec1/android_programming_the_big_nerd_ra.pdfIn PDF document text
    • https://s3.amazonaws.com/tarajix/55402541860.pdfIn PDF document text
    • https://s3.amazonaws.com/texifaxepag/fimitibumatezamewiribisaw.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlTibetanIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0000a8cb.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA8CB 1788 bytes
SHA-256: f930b9911e9640bd8b8d81759c3fade2d61b28df98256a7261ad24f1da5cabc5
font_00_sfnt_off00006285.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6285 7092 bytes
SHA-256: 171e1b77fa1540e387841b4710b96dc39f9004b320992e06608567604fe3fa6e
font_01_sfnt_off00007466.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7466 5052 bytes
SHA-256: 551f3de5451a6228b67dc6a692d61d79c94c57cfc3f83730b7a311ac19429465
font_02_sfnt_off000085b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x85B4 5064 bytes
SHA-256: 1c0399b45983492368b4a0f0a106f64e8c2f32221afb3bc2c51e36a406eff59e
font_03_sfnt_off0000971b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x971B 8904 bytes
SHA-256: e1e5d19d16db50c630cb1365578f6dd9718eeff742a8a4519d283816eff0df5b
font_05_sfnt_off0000b1ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB1EC 5756 bytes
SHA-256: a926e53cf306cfbf84b7e56e2b664eda823dded13bc417f632ceb300b3af4571
font_06_sfnt_off0000c050.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC050 3280 bytes
SHA-256: 9ce66573342960876ef0b593655fb5cc8e501540e518f1d81a5dd779483d49f5
font_07_sfnt_off0000cd56.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCD56 17568 bytes
SHA-256: 0131bea72720952c378b29bfec207d1368ed93c502844c6f0e4f446de6651d1f
font_08_sfnt_off00010707.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10707 21276 bytes
SHA-256: 5934b01ab2b0a01e9b54e572bdbf2db6e44598c447f8017bb6dbf93f114d2618
font_09_sfnt_off00012e4d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12E4D 2376 bytes
SHA-256: 82db6b9f12108823ea0a9f33521460a3f033db19ccc900794c0a6522f7a94f1c
font_10_sfnt_off000137f0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x137F0 6064 bytes
SHA-256: d97893901ea535a717f2b72409e67ea846b8cd1fa3e7eb276a289e80de6e3c60

Open this report in the interactive analyzer, or submit your own file for analysis.