Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc5e974cffa466b6…

MALICIOUS

PDF

59.3 KB Created: 2020-09-23 01:36:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 1fefe16b103054acdd90e2664988db18 SHA-1: 3c1929e2e02c71268f0adc8af772b06b06488316 SHA-256: fc5e974cffa466b6c95a6a4cb3fc0451ab4df1bd336b5fb42a746990a91b671a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded links, with the primary link identified as a known malicious redirector. The ML classifier also strongly indicated maliciousness. The presence of a link farm suggests an attempt to distribute malicious content or phish users by directing them to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=%25E0%25B8%2595%25E0%25B8%25B4%25E0%25B9%258A%25E0%25B8%2581+%25E0%25B9%2580%25E0%25B8%2588%25E0%25B8%25A9%25E0%25B8%258E%25E0%25B8%25B2+%25E0%25B8%25A0%25E0%25B8%25A3+%25E0%25B8%2593%25E0%25B9%258C+%25E0%25B8%25AD%25E0%25B8%25B2%25E0%25B8%25A2%25E0%25B8%25B8 In PDF document text
    • http://nujuxofa.dhmtoday.com/uploads/1/3/1/4/131453197/525884.pdfIn PDF document text
    • http://files.geistgang.com/uploads/1/3/0/7/130775856/mupinesab.pdfIn PDF document text
    • http://files.cheekypawsfife.com/uploads/1/3/1/8/131872107/waviwuroziz.pdfIn PDF document text
    • http://files.fisherroadoilsandhoney.com/uploads/1/3/1/4/131437676/8893981.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://cdn.shopify.com/s/files/1/0438/5597/0454/files/genetic_disorders_list.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0428/4550/3655/files/suxejewebakusovovuguxez.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0433/0949/8536/files/27168162684.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0441/2545/4488/files/pseudomembranous_candidiasis_case_report.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0463/6537/6667/files/autocorrelation_test.pdfIn PDF document text
    • https://f49f2e16-31c3-4552-8703-bf04bbe3746d.filesusr.com/ugd/35e1ce_9cb5e8aaefb14d5ca29fa51c9113bcba.pdf?index=trueIn PDF document text
    • https://56f18618-3f28-46f6-b470-bcd92d412c10.filesusr.com/ugd/1ee69b_3060a6f094914a61973e490c0ce6e2b3.pdf?index=trueIn PDF document text
    • https://34f68546-f037-4a01-8615-720066ca6874.filesusr.com/ugd/724bd4_5f209200c83b4e239f5e4789c3a34353.pdf?index=trueIn PDF document text
    • https://0fd504f9-b3eb-4d5e-8d8e-7cecc9ee1b74.filesusr.com/ugd/6116da_f5540c7f10cb46f890f8621d4dc30814.pdf?index=trueIn PDF document text
    • https://bb87eb2b-030b-4c1f-ba94-09ab052e0d4a.filesusr.com/ugd/238140_848665458cef476ba8b18d9a88c4275d.pdf?index=trueIn PDF document text
    • https://50a2caab-b42c-4649-826d-29dd5d914297.filesusr.com/ugd/66f7a0_a8a2b6b94c0d4233ada6b71eb5dfd78a.pdf?index=trueIn PDF document text
    • https://77eb22ee-488a-4822-9464-3fd837c3dcbc.filesusr.com/ugd/067ecb_62c708080b4e40f084c0578b2d8acc11.pdf?index=trueIn PDF document text
    • https://5a108f61-9c58-445d-b27a-c0fe4cd30c28.filesusr.com/ugd/35e1ce_f13f4a744741406c911527ab04539d2c.pdf?index=trueIn PDF document text
    • https://dc967d92-ab5b-4997-9fe4-d8b4cb72ea7e.filesusr.com/ugd/b926a8_66af04fb86844c3d86a070a27cb28d2b.pdf?index=trueIn PDF document text
    • https://90cf8ca4-d063-4413-9464-e4f3671a5639.filesusr.com/ugd/b27199_8f26abe431e145d19e9bf2b055ea2277.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00007f6a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7F6A 17040 bytes
SHA-256: f2cfb02e38d1fedfc7d98dd302f8647519460f5d0757e525e9a2643d3b721f09
font_00_sfnt_off00005c86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5C86 3396 bytes
SHA-256: 39b723426ba3d8c138591a08cf7ac57ce1af2078f96d7f7cb3d2ce0498b9dbc4
font_01_sfnt_off00006788.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6788 9020 bytes
SHA-256: f3fca72e22b70f5a7c3053b45d4e64cc2f5b937438bd67eb0264ad2d968c8d57
font_03_sfnt_off0000af1a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAF1A 8840 bytes
SHA-256: 3cfdbd82b057138e49fb63e40539d4f1aff9b4ec44472bcf6fd0666649d38284
font_04_sfnt_off0000cd50.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCD50 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c

Open this report in the interactive analyzer, or submit your own file for analysis.