Malicious PDF — malware analysis report

Static analysis result for SHA-256 da21122f80c4ab99…

MALICIOUS

PDF

40.8 KB Created: 2020-09-17 21:36:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0bd2cd6b491eaea755119ffbbfd585d9 SHA-1: a23904574095a6effa8531d762fce0d4d9244144 SHA-256: da21122f80c4ab99b7ccb4d30f551e7cf046a25c9e5d7f33d669881655375c07
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded links, identified as a link farm, which are designed to redirect users to malicious content. One critical heuristic specifically flagged a link to a known malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the primary redirector found in the heuristics. This indicates a phishing or redirection attack designed to lead users to further malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=old+town+guide+119+craigslist
    • http://fojilefij.mclendon.online/uploads/1/3/1/4/131483154/9565956c57b.pdf
    • http://wubisusob.pachamamamarket.org/uploads/1/3/1/6/131606069/pivaduwev_rajanipenaximap_mijurovogovujos.pdf
    • http://files.jfransfarm.com/uploads/1/3/0/9/130969543/magikutemuzawo.pdf
    • http://rakor.flycentre.com.au/uploads/1/3/1/8/131856554/2304585.pdf
    • http://niminip.psubaltimore.org/uploads/1/3/1/4/131453062/pidexutopuf-nowuxijotamak.pdf
    • https://cdn.shopify.com/s/files/1/0430/2385/9873/files/prey_neuromod_fabrication.pdf
    • https://cdn.shopify.com/s/files/1/0428/7073/5014/files/grados_de_movimiento_articular.pdf
    • https://cdn.shopify.com/s/files/1/0428/1538/9855/files/sugokezef.pdf
    • https://cdn.shopify.com/s/files/1/0435/5352/1823/files/fisola.pdf
    • https://f36ba93d-ce48-4602-bb9f-f3d1f3b5501d.filesusr.com/ugd/bf0735_798efc38d8d64fe98f2c815c8fa64673.pdf?index=true
    • https://a075de55-b8a8-4d2c-a8d1-3ab636911431.filesusr.com/ugd/81d6a4_6c33eb2d72804319aee29fde5d18d1dd.pdf?index=true
    • https://f3114e8f-6ce0-47cc-9248-0909e1db408d.filesusr.com/ugd/8e6e76_9727107718364f619071297584c59bcd.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0433/0107/7142/files/86144738409.pdf
    • https://cdn.shopify.com/s/files/1/0438/2890/4093/files/12542236169.pdf
    • https://cdn.shopify.com/s/files/1/0434/2353/1175/files/vejinax.pdf
    • https://cdn.shopify.com/s/files/1/0431/8583/2096/files/advanced_java_tutorials_point.pdf
    • https://cdn.shopify.com/s/files/1/0433/3076/4968/files/puzereratubikufareju.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000617c.bin
2e185d59ae9a83022267ab771ab3386c95d7e83a2858af28c0ffebc4ae603f57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x617C 5436 bytes
font_01_sfnt_off0000741c.bin
82ad5f4a489bb79ab5b2f33e1033e57f4247dde9ccf0c7ef2a5b55300f807d9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x741C 9968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.