Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5f4cf1ff9d6dfa5…

MALICIOUS

PDF

49.6 KB Created: 2020-10-25 11:22:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 51f6f146ab7a05d8e03e9f4ab0e88529 SHA-1: 24d64b6848ceaeb476f3e9e14974dcecd897c0f0 SHA-256: f5f4cf1ff9d6dfa5235af7f4fcfec5200f104729049881188eb34901a265fae5
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links pointing to external PDF files, many of which are hosted on link farms. One of the primary links directs to a known malicious redirector. The document's content is a lure to encourage users to click these links, likely leading to further malicious content or malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/pify?keyword=merge+several+excel+worksheets+into+one
    • https://tivakoxidedopa.weebly.com/uploads/1/3/0/7/130776298/466f8705e690d34.pdf
    • https://rokufekajo.weebly.com/uploads/1/3/0/8/130814342/d8457.pdf
    • https://wetuxabo.weebly.com/uploads/1/3/0/8/130873937/sefufizodofok.pdf
    • https://suvibumaluri.weebly.com/uploads/1/3/4/4/134458401/3206405.pdf
    • https://pavowojavujide.weebly.com/uploads/1/3/1/3/131398322/9015792.pdf
    • https://cdn-cms.f-static.net/uploads/4375704/normal_5f8ef1c3c6b96.pdf
    • https://cdn-cms.f-static.net/uploads/4368224/normal_5f943df4e56db.pdf
    • https://cdn-cms.f-static.net/uploads/4384037/normal_5f8f05c45717f.pdf
    • https://cdn-cms.f-static.net/uploads/4366308/normal_5f8748b8b9710.pdf
    • https://cdn-cms.f-static.net/uploads/4378171/normal_5f8c44c90ba8e.pdf
    • https://cdn-cms.f-static.net/uploads/4367287/normal_5f8a0eaa07080.pdf
    • https://cdn-cms.f-static.net/uploads/4367960/normal_5f8ee1b62bcd3.pdf
    • https://cdn-cms.f-static.net/uploads/4391909/normal_5f9246dca69f5.pdf
    • https://cdn-cms.f-static.net/uploads/4403415/normal_5f947b5e5c649.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7b101c38-a825-4e3c-9c0b-9c0786518acb/dibinofeteragexevarugani.pdf
    • https://uploads.strikinglycdn.com/files/be43d58e-7d5b-46cd-b68a-3b93d99b24dd/49583342681.pdf
    • https://uploads.strikinglycdn.com/files/6f9e3ba4-31fb-4500-b1fa-9593d06587a9/zobotulumaninasuwaju.pdf
    • https://uploads.strikinglycdn.com/files/46c96d8a-2952-458a-a7ef-9391512d6965/84358871746.pdf
    • https://uploads.strikinglycdn.com/files/38462199-8fc8-4faf-bf89-492a3696b080/pisasifediderilarem.pdf
    • https://uploads.strikinglycdn.com/files/c7ca0d5d-2266-4318-abb0-8fe0a8584b37/fagebob.pdf
    • https://uploads.strikinglycdn.com/files/f0b24954-607e-42d6-ae61-31e9553ea0ea/81646113706.pdf
    • https://uploads.strikinglycdn.com/files/ece1594a-a5b1-40fe-adae-257ef59f76ce/41141491725.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000080ae.bin
696d8d8dcd1f00c9948dae8824453cde4132deae78935c5af10cdec41d1d655a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80AE 5348 bytes
font_01_sfnt_off000092fe.bin
cfb3bd26e8f83afd4aadebab2d0b7e6146b2555f782afce28f5e043a194145cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92FE 11000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.