Malicious PDF — malware analysis report

Static analysis result for SHA-256 f41b6c7041d405e6…

MALICIOUS

PDF

46.2 KB Created: 2020-10-30 21:43:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 285cee8e283cf22d92b354dc6e48061c SHA-1: e27be83eff2923ce07f39db4f94b569410411c32 SHA-256: f41b6c7041d405e6371b7d251cc7c8f173d2d72a452fe03818c3c72291f0384f
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple heuristics indicating malicious redirector links and a link farm, suggesting a phishing or scam attempt. The embedded URL `https://ggtraff.ru/123?keyword=korsakov+orchestration+pdf` is flagged as a known malicious redirector. The presence of a 'download button' lure further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/123?keyword=korsakov+orchestration+pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4415068/normal_5f97205e93dab.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://cdn.shopify.com/s/files/1/0435/3903/8359/files/72611683783.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b30927f5-2c8d-46a3-b430-586c19105886/yugioh_apk_duel_generation.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ede444ab-9c7d-4f55-9c42-a7ce9428b0bc/gutavavomixufifo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/54fc7fe9-80ae-43f8-a125-7c4bef079e5d/2538838196.pdfIn PDF document text
    • https://s3.amazonaws.com/felasorarabipis/21872040262.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0504/5475/7575/files/butobajokixa.pdfIn PDF document text
    • https://s3.amazonaws.com/napisakaluja/tunatokekij.pdfIn PDF document text
    • https://s3.amazonaws.com/guwutivupudutu/startup_business_plan_sample.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0504/3922/5504/files/syba_foundation_course_in_marathi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9808c7a9-9926-497c-9be7-380896b3d301/jojewato.pdfIn PDF document text
    • https://s3.amazonaws.com/kavitokolezub/87568678884.pdfIn PDF document text
    • https://s3.amazonaws.com/vezumobigodub/veneer_cementation.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005351.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5351 5092 bytes
SHA-256: 495097644abe14edb967f1f096fecf9289b2c77f39b6d83f04adeb8966d042c7
font_01_sfnt_off00006497.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6497 10608 bytes
SHA-256: 3a5067a0c8a1af01aa1cd1db6ea29236fb0543ea30a69e2013fc103f5cabd258
font_02_sfnt_off000088f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x88F5 16096 bytes
SHA-256: 61761e6c71fdd980502ce8a3a8cbf9590216241eb9eabe72fdf309a1c23cd3c2
font_03_sfnt_off00009dbe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9DBE 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361