Malicious PDF — malware analysis report

Static analysis result for SHA-256 d94ac336d12daa64…

MALICIOUS

PDF

49.8 KB Created: 2020-10-29 20:43:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: 3ae15b79e54623c8fc4063f56dd47336 SHA-1: 3c9c14c5adcf0260d5008a852569fcc97dfabddf SHA-256: d94ac336d12daa6431180b972e46605bbe443668f6d3958e7552a90c6f97aee8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of embedded links, identified as a PDF link farm, with the primary link pointing to a known malicious redirector. The ML classifier also strongly indicated maliciousness. The embedded links likely serve to direct users to malicious sites for phishing or malware distribution, aligning with spearphishing attachment tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?keyword=book+of+vile+darkness+5e+item In PDF document text
    • https://nobinetezo.weebly.com/uploads/1/3/0/9/130969761/914e7258.pdfIn PDF document text
    • https://togurekeve.weebly.com/uploads/1/3/4/0/134040335/sororatedegu-niwetikibax-kenebetadikizip.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380857/normal_5f9a6e3d96da2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365525/normal_5f8cebc2941cf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374860/normal_5f91d712c1830.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383806/normal_5f8d4403cdea6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368768/normal_5f8ab05ae940a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365539/normal_5f89b8ae423c8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365575/normal_5f9102a539ba7.pdfIn PDF document text
    • https://guboriratuji.weebly.com/uploads/1/3/4/2/134235556/07ccab770b9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366346/normal_5f88aae660199.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367920/normal_5f87b2080a28e.pdfIn PDF document text
    • https://wekubuzebebam.weebly.com/uploads/1/3/0/7/130739705/c53b361c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368485/normal_5f8fa2f76a04a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/25ac2728-bda6-4d5e-8ae9-7d1d5b3474c3/sigilaxodidoviwavone.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x75F6 5140 bytes
SHA-256: bd86d6b783b563719dd357d775a793b78006cb90188b8fdb958579ca467cabd2
font_01_sfnt_off00008766.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8766 10880 bytes
SHA-256: f01a0aa2e20a2c8632facd2799a67615ef1e3f6c5d99556281f3a68bc0cccaa9
font_02_sfnt_off0000ac51.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAC51 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378