Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc770b09574d6842…

MALICIOUS

PDF

138.0 KB Created: 2020-11-07 22:11:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 5cca225185aa67d59a1ee7e8b2b9d6ce SHA-1: e204256b0fbd707f256c284cc23e44ace1e70405 SHA-256: dc770b09574d6842736e63899da221939e3cc15a6a3250f51d8fac6ec784eda5
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with a critical heuristic identifying it as a link farm. One of the primary external URIs, 'https://trafffi.ru/aws?keyword=splatoon+chaos+vs+order+shirts', suggests a SEO-based lure to attract users searching for specific terms. While no scripts were directly extracted, the PDF structure and extensive link farm indicate an attempt to redirect users to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9897

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?keyword=splatoon+chaos+vs+order+shirts PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4374956/normal_5f9805a996619.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380413/normal_5f923de40c663.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408864/normal_5f946f7c1425c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/mejifavo/a_feast_of_crows.pdfIn PDF document text
    • https://s3.amazonaws.com/kotenu/ark_survival_evolved_cheat_codes_list.pdfIn PDF document text
    • https://tidesefotiku.files.wordpress.com/2020/11/convert_word_to_fillable_online.pdfIn PDF document text
    • https://vadazigifexe.files.wordpress.com/2020/11/gopiv.pdfIn PDF document text
    • https://xekukozeko.files.wordpress.com/2020/11/datawelatexako.pdfIn PDF document text
    • https://s3.amazonaws.com/xifabilejilab/salivary_alpha_amylase.pdfIn PDF document text
    • https://s3.amazonaws.com/tigovatolis/rulufetedu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018e2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18E2C 6744 bytes
SHA-256: 0eac1552a6a0cc8d6d43e14f5c157d052ff2bf21460314f67a2c213e0a454e63
font_01_sfnt_off00019ee2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19EE2 4736 bytes
SHA-256: da7a5d65c8d3af9068f85385d736fd7e6bd420ba0a1c4bc9de053d8a93cd067e
font_02_sfnt_off0001af64.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AF64 5324 bytes
SHA-256: 16981d2efdd449d64d8de5ff2d80211034c925bc878b1cc08e4d883e3cbaa0c5
font_03_sfnt_off0001c174.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C174 3116 bytes
SHA-256: a0635afd93ea82bc0100718efedbee5c86adef3d004a19d9ce2089823442805c
font_04_sfnt_off0001cde6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1CDE6 18204 bytes
SHA-256: 1b397c5a7957e26e1c7ac891d76b3faa768126149d645832be62769527136e22
font_05_sfnt_off0002044c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2044C 16092 bytes
SHA-256: 9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2

Open this report in the interactive analyzer, or submit your own file for analysis.