Malicious PDF — malware analysis report

Static analysis result for SHA-256 dec1a65f25f95202…

MALICIOUS

PDF

62.2 KB Created: 2020-10-11 12:41:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: 571c582a76e85d8c3f5450057b17eb49 SHA-1: b0733b62c8ef11da75a8edc6dbd763f0a1c369b2 SHA-256: dec1a65f25f9520201a1ca576f9b27a67f3f0496fc1cb6264ccdf52fbd45e0be
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with several heuristics indicating it's part of a link farm or redirector scheme. One URL, 'https://gettraff.ru/strik?keyword=ipc+j+std+001e+2010+pdf', is flagged as a malicious redirector. The document body, though heavily obfuscated, also contains this URL and other links to PDF files hosted on disposable or SEO-focused platforms.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=ipc+j+std+001e+2010+pdf In PDF document text
    • https://site-1038471.mozfiles.com/files/1038471/84655367194.pdfIn PDF document text
    • https://site-1043119.mozfiles.com/files/1043119/tanalorupusatuwojudegamon.pdfIn PDF document text
    • https://site-1040278.mozfiles.com/files/1040278/92316073999.pdfIn PDF document text
    • https://site-1041492.mozfiles.com/files/1041492/vefanupulukawix.pdfIn PDF document text
    • https://site-1036839.mozfiles.com/files/1036839/67639178571.pdfIn PDF document text
    • http://savibi.natashashapiro.com/uploads/1/3/1/4/131407668/jepulavogiforo.pdfIn PDF document text
    • http://silefe.jihyunhong.com/uploads/1/3/0/8/130814687/zizeginomuxavegi.pdfIn PDF document text
    • http://files.pacificbuildersintl.com/uploads/1/3/1/4/131407135/nelamadakusuruf.pdfIn PDF document text
    • http://saxeso.andamanfrontiertravels.com/uploads/1/3/0/7/130740000/doretodogizuwov.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/1966672e-9283-4893-8e05-b01f7d15c3a6/nosadeziwelawas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0bff9234-d180-45f0-8045-a413968394f3/gefefeburupitog.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/68b89387-92f9-4591-892c-6dc7e73d945d/ziletuwazozoka.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/4371/1907/files/45947265730.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0483/5213/3269/files/penguin_massacre_argentina.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x75B7 13968 bytes
SHA-256: 53c4cab9d1646d5fe82c408d65fc456b9814ddf348db74a5da3c62ac104eae7f
font_01_sfnt_off0000a268.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA268 5148 bytes
SHA-256: ec778873927537ff0f4070a9f4a70ff7759cb79528569f9d3e0eea97f0eaa91e
font_02_sfnt_off0000b417.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB417 10004 bytes
SHA-256: db494364f16d6a40ce285f45a637c0417d62f6f0c3402edbace90771b029f002
font_03_sfnt_off0000d6ae.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD6AE 16088 bytes
SHA-256: ccd0ea095085b9379100d4de0d13d045157d8501f46cd3db2ef5c00475687e02

Open this report in the interactive analyzer, or submit your own file for analysis.