Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed9380195a5017b6…

MALICIOUS

PDF

45.0 KB Created: 2020-10-16 08:46:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-22
MD5: 674a44ffd9fe369b9553c5a0f48f374b SHA-1: 2d503fdba7584644510b420685d814a8f2475843 SHA-256: ed9380195a5017b6f613ee123787b1e7f2f163d41c902ebc5a93b5c7e399692d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external PDFs, suggesting a link farm or SEO manipulation tactic. One critical heuristic identified a link to known malicious redirector infrastructure, indicating a phishing or malware distribution attempt. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?keyword=public+relations+and+reputation+management+pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4368486/normal_5f8890f967ba3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368251/normal_5f88c0b6156fb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369657/normal_5f886052b6f4d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369163/normal_5f88c491960a8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373517/normal_5f88f2db1f54b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369905/normal_5f888d76f1f62.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369772/normal_5f890111af66e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369336/normal_5f891acdb95a9.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa8c5f02-da43-4e1c-8d90-23eaf7170e30/28457693421.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/09eba7ae-b283-4760-980a-12dd436eed01/topowetowetolasusagigoku.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a8b6fc5e-d4d4-4cff-86ec-f510f46c12b9/48203904208.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f10cd85-c470-49fe-ba53-d91130d20487/dagibirawoxerafesaweg.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/888556e5-c7b0-41a7-8008-590471a106fd/kujur.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/43a83dea-5883-4673-848e-a3381164e525/85273558502.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9cf24d60-0127-4008-958e-8be0348c8f4b/keduluxodizisaw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/892a2c14-66a6-467f-a949-dbc1b91360f8/rojukuwanupogelalezabid.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f8d432e-a665-432c-afb9-9bc46989c3c6/lopujoluj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91a52d4f-9ae6-4a27-b15f-5e893b880aa7/kumemowifisesotozudebu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/543bcd9b-c46a-46b9-8b68-a477a8d2c706/53570326755.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0432/0159/3502/files/bamorotutusi.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0437/1077/5464/files/curriculum_guide_in_english_8.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0481/5300/2135/files/ap_psychology_review_guide.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0429/6291/1391/files/jozekulozikozono.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fa5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6FA5 5616 bytes
SHA-256: 564c4d7bf3314de46876631ba202aa7e56c5d0507475a924c5f1ba8868e76a75
font_01_sfnt_off00008297.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8297 10496 bytes
SHA-256: e9503af386920c29e516dda1fe0eafe0be2571fa94f0bf63ee128cee4d367bf1

Open this report in the interactive analyzer, or submit your own file for analysis.