Malicious PDF — malware analysis report

Static analysis result for SHA-256 e74811d5c2427604…

MALICIOUS

PDF

47.7 KB Created: 2020-11-03 04:05:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e4af8edf3d1b78741d29ae7c3bba748b SHA-1: 5df865efbdb7cdc49438850d668a63e0503651fb SHA-256: e74811d5c2427604bb9781dff6d96b053383ace07c43447d0694b3d9ac1702da
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded links, with one specifically identified as a malicious redirector. The document body, though heavily obfuscated, contains a URL that matches the malicious redirector found in the heuristics. The presence of numerous external PDF links suggests a link farm or SEO manipulation tactic, potentially to obscure the malicious destination. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=lakeside+arena+frankfort+kentucky
    • https://donibirumot.weebly.com/uploads/1/3/4/4/134463545/7810473.pdf
    • https://tarirubawapub.weebly.com/uploads/1/3/1/6/131606173/ximozoropetot.pdf
    • https://sazojowob.weebly.com/uploads/1/3/4/3/134351878/janinixuzizikosafot.pdf
    • https://fadusoga.weebly.com/uploads/1/3/0/7/130739873/nikoseket.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/485683b4-9c08-4cfc-993c-a408443908de/varubisatesititimuneva.pdf
    • https://uploads.strikinglycdn.com/files/9a99a679-01d6-499a-b38d-f9ac99ef5f00/taxurofelurexufawiluwakut.pdf
    • https://uploads.strikinglycdn.com/files/f5035921-6811-413c-a2bd-79397ba4cea5/levodetebelavumatu.pdf
    • https://cdn.shopify.com/s/files/1/0482/6985/2833/files/little_tikes_house_with_mailbox.pdf
    • https://uploads.strikinglycdn.com/files/2fbbe93b-8c0b-42c8-9ef4-9af97cbffb44/voguromoteseduwopofogij.pdf
    • https://uploads.strikinglycdn.com/files/63969927-8168-41c7-b4e8-e1ea38d343fb/tirusepafemogedatilufepej.pdf
    • https://uploads.strikinglycdn.com/files/3f52666a-6b8c-48f8-a56f-70a5a1717a24/bugufusogofugegifipejap.pdf
    • https://uploads.strikinglycdn.com/files/ab2b6372-6460-4e9a-9c64-53b32f73bbad/bollywood_news_msn.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00006d8c.bin
1033d3fe2a2c33f998d154684d8dc185c9aef9efcf615d98b39894437a8f5571		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6D8C 11752 bytes
font_00_sfnt_off00005c26.bin
484d00dc8b3122b2b2613c1afbca80ccb5db4d3ac0a327d1bf4b31c28621abd5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C26 5092 bytes
font_02_sfnt_off00008eae.bin
027a90e23b759d5938f21b16edc7303c0eed6b363aa865def63bb2501409c2bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EAE 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.