Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5816e1657638233…

MALICIOUS

PDF

79.2 KB Created: 2020-12-17 21:00:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 62266777761b0a5dd4f252afb935cced SHA-1: 975775ee86ee44956ac016885c3d7791b801a08c SHA-256: f5816e1657638233e0d835ae1df029f789ed9b1ea6397b082752e037e57e14e2
254 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains multiple links to redirector domains, including 'ggtraff.ru', which is flagged as malicious. The document body, though heavily obfuscated, suggests a lure related to 'Marvell magni driver', indicating a potential phishing or malware distribution attempt. The presence of numerous PDF links in a link farm further supports the malicious intent of directing users to external, potentially harmful, content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=marvell+magni+driver In PDF document text
    • https://kadeborejegan.weebly.com/uploads/1/3/2/7/132740978/52afa65.pdfIn PDF document text
    • https://xelemurefitarag.weebly.com/uploads/1/3/4/6/134601467/fupibudaj.pdfIn PDF document text
    • https://xitawameduzip.weebly.com/uploads/1/3/4/5/134511141/2537826.pdfIn PDF document text
    • https://tajuboramaze.weebly.com/uploads/1/3/4/5/134591815/4201313.pdfIn PDF document text
    • https://ziripovopibew.weebly.com/uploads/1/3/0/8/130874468/4108359.pdfIn PDF document text
    • https://mafukizagodixep.weebly.com/uploads/1/3/4/5/134525221/5149409.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static1.squarespace.com/static/5fc2c8b6405d5340f335e453/t/5fc4229d145a8629dc32b4ac/1606689438110/thomas_nagel_bat.pdfIn PDF document text
    • https://s3.amazonaws.com/kobivimelelo/rodokajorab.pdfIn PDF document text
    • https://s3.amazonaws.com/babetafaperaxov/bacteriology_lab_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ff54d3e-839f-4bb6-bc63-9747824c34c7/wulapuvajofivivut.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6623b7a6-4332-4ff5-8c82-cb7ba9ed0a6b/wendys_chicken_nugget_nutrition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/84fc6573-16b2-497c-9f42-96b1206689f6/mugen_shift_knob_fk8.pdfIn PDF document text
    • https://s3.amazonaws.com/nuxomigo/string._format_java_null.pdfIn PDF document text
    • https://s3.amazonaws.com/mefonevimimix/cytokinesis_in_animal_cells.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBED 3440 bytes
SHA-256: 39369340c291d3f2bfe4533add3dcbd5928bc7e9a476b9990d7287564dbae8a6
font_01_sfnt_off0000f848.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF848 5032 bytes
SHA-256: 2996f56327d29fa795e14e8a5f916c43a241b8bc7ce90261bce39196467b5437
font_02_sfnt_off00010960.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10960 11308 bytes
SHA-256: e3458bb83e0365ac2a199fe83f865e04c7c03cb71e8802c049177204b2a7580c