Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb15aa7e54af79cf…

MALICIOUS

PDF

35.4 KB Created: 2020-10-15 07:43:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 49f88fbc20c7b81b994093f10ba1bb7c SHA-1: 927fc9d3a6084918a3b33f5791128f1b218343f0 SHA-256: fb15aa7e54af79cf7b6a5bb4199223575fff4b5e6954b415598a45a2c35bb9de
182 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of links to external PDFs hosted on disposable domains, indicating a link farm. One of the embedded URLs, https://cctraff.ru/strik?keyword=handbook+de+excipientes+farmaceuticos+en+espa%25C3%25B1ol+pdf, is flagged as a malicious redirector. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?keyword=handbook+de+excipientes+farmaceuticos+en+espa%25C3%25B1ol+pdf In PDF document text
    • https://fulipevaxavu.weebly.com/uploads/1/3/2/6/132695351/kefasene.pdfIn PDF document text
    • https://vuzevarezevarot.weebly.com/uploads/1/3/0/7/130740461/sumaxika.pdfIn PDF document text
    • https://jawowigo.weebly.com/uploads/1/3/0/7/130774982/296d838f50c724.pdfIn PDF document text
    • https://mogilifus.weebly.com/uploads/1/3/0/7/130739831/5401885.pdfIn PDF document text
    • https://mogilifus.weebly.com/uploads/1/3/0/7/130739831/sixukejomiwewanage.pdfIn PDF document text
    • https://nanorobudilason.weebly.com/uploads/1/3/0/7/130775181/cdda8a3bd8f4.pdfIn PDF document text
    • https://wefamojugibe.weebly.com/uploads/1/3/1/1/131164519/rukazo.pdfIn PDF document text
    • https://berajuvexoru.weebly.com/uploads/1/3/1/8/131860787/mesiz.pdfIn PDF document text
    • https://xojerajap.weebly.com/uploads/1/3/1/3/131384359/zebapesuluboxaj.pdfIn PDF document text
    • https://site-1048219.mozfiles.com/files/1048219/prenatal_microarray_reporting_guidelines.pdfIn PDF document text
    • https://site-1036981.mozfiles.com/files/1036981/tilibama.pdfIn PDF document text
    • https://site-1043923.mozfiles.com/files/1043923/31552578788.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/6e1a5bf5-6667-426f-8f40-63d25c6fb9dd/67892048952.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db269399-5891-4989-9d23-30cc2207424e/14533095227.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d20aa210-0ab1-4b5f-92eb-c827141f5050/18386294463.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f9c669d-7b40-4a43-a283-0d833e723a6c/xajozavupupoposebalojer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/273092ea-3fcc-465b-b612-f6e1a4ddb2ef/balurorikekanijezor.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26661f4b-f723-4173-96f3-e200c0732eb2/59908149297.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8568ea20-e9fc-4e0a-8050-afab9f46a50d/96637693702.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d3414a4f-e7d5-40ae-980c-47e16d484fac/64477759731.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/75539c83-bc50-46e1-b64b-525b1e1e116a/teliseti.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b2740d9-6391-40a8-a83a-dd3f12f5736e/88497692706.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006671.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6671 5744 bytes
SHA-256: bf5e8f3b6cdccbfcaa80fc15fa397bef896d718bd23abe3a3745ff8402e29466

Open this report in the interactive analyzer, or submit your own file for analysis.