Malicious PDF — malware analysis report

Static analysis result for SHA-256 03e454d09d5fc93e…

MALICIOUS

PDF

98.4 KB Created: 2020-11-13 03:20:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c8acadfd0104a33725cf1b01cca3eac2 SHA-1: ffb4bb9353bbc2d6658eda5cf6e0b3dd66ccc2a5 SHA-256: 03e454d09d5fc93eabb5159b3c23b26a5543abccbf3613e3872dcafd89c9a2c9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one pointing to 'traffset.ru', suggesting a phishing or malware distribution attempt. The 'PDF_SEO_LINK_FARM' heuristic indicates a large number of external links, many of which are hosted on S3 buckets and appear benign, but the primary URL is suspicious. The ML classifier and ClamAV detection strongly indicate maliciousness. No scripts were extracted, but the presence of external links and the overall structure suggest a lure to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?utm_term=comptia+security%252B+study+guide+free
    • https://cdn-cms.f-static.net/uploads/4377902/normal_5fa2b81f6aa83.pdf
    • https://cdn-cms.f-static.net/uploads/4370791/normal_5f90dce4c11cb.pdf
    • https://zufesuvagudinaf.weebly.com/uploads/1/3/4/3/134321689/dejezakopefolu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/lupebesu/13069218997.pdf
    • https://s3.amazonaws.com/fuwawibu/94219510760.pdf
    • https://uploads.strikinglycdn.com/files/21934438-1166-4a3f-bbd5-9abc46f4be30/tf2_spy_loadouts.pdf
    • https://s3.amazonaws.com/debamijizozexo/12167469932.pdf
    • https://uploads.strikinglycdn.com/files/1395a48b-2b4e-49d0-b106-8f2b23e06d54/gyro_rc_helicopter_manual.pdf
    • https://uploads.strikinglycdn.com/files/5a3c24fb-8cb0-4f64-913a-360dd09ab031/8307627719.pdf
    • https://s3.amazonaws.com/jowutoneranemuk/voidcraft_minecraft_server_ip.pdf
    • https://s3.amazonaws.com/robumuduluwise/synonym_for_letter_of_reference.pdf
    • https://s3.amazonaws.com/jefazaxal/juwesofasi.pdf
    • https://uploads.strikinglycdn.com/files/1ac61445-04ae-44a7-852f-f649290f7ace/88425942438.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0001519d.bin
97c169aba99b3be7d635e169e48f73628fbe8924007a192c8af15419f890dabd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1519D 24720 bytes
font_00_sfnt_off0000d588.bin
3c0e39a9eb5bc082b9a2f261414414833fa67cbef7b2f82dcd2123b5930c7a9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD588 16576 bytes
font_01_sfnt_off00010a89.bin
7ace4a51f2e678393da05270cbccf5b06c0a235d1ff6b76c15f169656224caff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A89 5448 bytes
font_02_sfnt_off00011cf9.bin
a274d1bfd3e72d9eade22848079fa75a37b8243bfe55676cc99220e2ec2cdd60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CF9 5620 bytes
font_03_sfnt_off00012c77.bin
97c085980e8e90ca692bb28cd728a86c17b7d86acf52be1d911dae3fb686ba81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C77 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.