Malicious PDF — malware analysis report

Static analysis result for SHA-256 d13dca92734ca175…

MALICIOUS

PDF

72.3 KB Created: 2020-10-16 21:26:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: f83357962a588b88a6c5f862b04b1066 SHA-1: 9251732911c0560bfaa2a2b6dc2a18ce06f6fa4f SHA-256: d13dca92734ca175754bcf152f357a6808f250e3a6e2f6bf108743124b119d63
154 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a high number of embedded links, with at least one pointing to a known malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector. This suggests the document is designed to lead users to malicious infrastructure, potentially for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=temp%25C3%25A9rature+moyenne+des+plan%25C3%25A8tes In PDF document text
    • https://bedizegoresupa.weebly.com/uploads/1/3/1/3/131379398/8324687.pdfIn PDF document text
    • https://gimejexoxixaza.weebly.com/uploads/1/3/1/8/131872185/novovuxosijuzuz_wofabunutigepuw_dugulelura.pdfIn PDF document text
    • https://jufaxexave.weebly.com/uploads/1/3/0/7/130775513/sumavi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://cdn.shopify.com/s/files/1/0495/8653/6598/files/witness_in_our_time.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/1608/4891/files/commercial_air_compressor_hose.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/9540/1644/files/lonely_planet_peru.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0499/8532/3168/files/science_skills_center_high_school_district.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0266/7731/3733/files/xejurofadijibejobatote.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0484/8091/1515/files/7921288568.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0431/9933/2516/files/lesson_6.5_practice_a_geometry_answers.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0502/1093/0880/files/71451757437.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0497/3586/0378/files/paruvifebibome.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0495/9027/2152/files/child_maltreatment_study_guide_quizlet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e9c5ba40-2bb2-4cf0-8711-2434bbbcc619/37851535642.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b975e553-fd86-421b-8e3e-c3176d0883ac/vozenotubud.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c5c6510-05e4-4938-b10e-7bd1273b213e/malanelefexipurugidezem.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/16b4dfb5-d637-4b61-ab28-93b81190412d/75053862653.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0435/2793/0011/files/cite_evidence_worksheet.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/8748/5342/files/scummvm_android_save_game.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0438/5865/7430/files/division_area_model_video.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0503/4042/9982/files/36074538167.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0427/6404/2396/files/15013220277.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc9d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCC9D 5440 bytes
SHA-256: 23484a1ca136853e586c00273bf14b5163a19c952ea651762bcb4960b5ae92c6
font_01_sfnt_off0000de74.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE74 17220 bytes
SHA-256: 6c5c101aea1178212758346b28dc8026fecec757234c5179e482d3509fea615e

Open this report in the interactive analyzer, or submit your own file for analysis.