Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa247740309bb60b…

MALICIOUS

PDF

50.1 KB Created: 2020-11-03 05:43:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f7d551a1b2623255b2c3d0fb3fd926cd SHA-1: 139832e0f42ad5f795c1287cfcf134afe99e4524 SHA-256: fa247740309bb60b393916952b8e6d41ba96934f61574bd67a4777947e9e6320
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, many of which point to external websites, suggesting a link farm or redirection attempt. One critical heuristic firing indicates a link to known malicious redirector infrastructure. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack pattern appears to be directing users to potentially harmful external content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/123?keyword=cognisable+meaning+in+english
    • https://samegitu.weebly.com/uploads/1/3/4/3/134333662/sazidiboxiwewa_ruxuropimejiw.pdf
    • https://liloxowilobo.weebly.com/uploads/1/3/4/2/134265539/02d303a290f104.pdf
    • https://sapigufebo.weebly.com/uploads/1/3/4/5/134592603/magizokatis-molonasub-bonetabuv-vifodote.pdf
    • https://mofivekirupu.weebly.com/uploads/1/3/2/7/132740685/7420203.pdf
    • https://rubazepenomul.weebly.com/uploads/1/3/4/3/134324915/warexisetaponuze.pdf
    • https://fazolusafiwef.weebly.com/uploads/1/3/4/5/134585025/749706.pdf
    • https://dulexarupiwaju.weebly.com/uploads/1/3/3/9/133986428/vijudepifite.pdf
    • https://gemiwanot.weebly.com/uploads/1/3/4/4/134495393/1d48f3eb1d53a.pdf
    • https://fijojonibiw.weebly.com/uploads/1/3/2/6/132681787/rotizizalipi-xulejowo-wegevok-xutijub.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://s3.amazonaws.com/dogazisuze/nedukilapuzavo.pdf
    • https://s3.amazonaws.com/zetubakuz/anne_rice_sleeping_beauty_trilogy.pdf
    • https://s3.amazonaws.com/wixanarer/26785738656.pdf
    • https://cdn.shopify.com/s/files/1/0491/8018/0646/files/wortschatz_deutsch_c1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ad1.bin
c82bebd4b493aaaf84143f05ff6967641e6933e4069ecd51460b008fb5b9cf8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AD1 2888 bytes
font_01_sfnt_off00006511.bin
ae5eb07e0d627240a6f8ce94560e5032ba2d8fae399e1427f6bfa7fcc456366f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6511 5048 bytes
font_02_sfnt_off00007614.bin
819cb6817a2f1ea14e100ce3e87134e5f95bcac2c5b3fd0af1a37a43fda6276a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7614 4500 bytes
font_03_sfnt_off00008470.bin
ad942196e4b20ecdd930eb8386d42bb556696ec023c970aa6f8a0b7546e9f6fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8470 11704 bytes
font_04_sfnt_off0000ac11.bin
20fc9723141139eac5f3b2741027b05a799a696c04e3050c5829b59d7c4785be		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC11 3288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.