Malicious PDF — malware analysis report

Static analysis result for SHA-256 061d583e1be07706…

MALICIOUS

PDF

62.9 KB Created: 2020-11-24 07:32:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3ad52832794ac6e5a1a2118986de3be SHA-1: 78ecf21302fa698de18257511d2d00f6842aadf8 SHA-256: 061d583e1be07706e3cb9e73c45e8f6736d1866bfd1422b8ac9b8dd3c45c0e9e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic specifically identifying a 'PDF link farm' designed for SEO manipulation. The embedded URL 'https://trafffi.ru/123?utm_term=last+stand+3+hacked' is flagged as suspicious and likely leads to a phishing or malware distribution site. The document body, though heavily obfuscated, contains references to 'Last stand 3 hacked' and the authoring application 'wkhtmltopdf', suggesting a deceptive lure. The presence of embedded URLs and the link farm heuristic strongly indicate an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8776

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?utm_term=last+stand+3+hacked
    • https://futivodefumir.weebly.com/uploads/1/3/4/8/134861147/f23b11320514.pdf
    • https://gokopawe.weebly.com/uploads/1/3/4/4/134493337/1289421.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/lolaritemukole/horario_autobuses_madrid_avila.pdf
    • https://uploads.strikinglycdn.com/files/ec0d7e14-6bea-4d57-91cc-c6c4c6eaceca/vezofejuxedox.pdf
    • https://s3.amazonaws.com/jixerubowi/core_java_multiple_choice_questions_with_answers.pdf
    • https://uploads.strikinglycdn.com/files/ed3bcbf3-c1b1-4fc2-8482-cbe19229fcab/70131384613.pdf
    • https://s3.amazonaws.com/lanorolowu/alimentacion_saludable_para_nios_de_1_a_3_aos.pdf
    • https://s3.amazonaws.com/zoromexemuzid/85291673560.pdf
    • https://uploads.strikinglycdn.com/files/4f3a8a8c-a452-470a-8e73-3664b114ce2f/noseloxiredibarinaseragu.pdf
    • https://uploads.strikinglycdn.com/files/8fcee1ed-5e60-4be7-8a78-4bc75917efd9/rubiks_cube_user_manual.pdf
    • https://uploads.strikinglycdn.com/files/cc333d06-d6aa-4edd-a355-7d1428c28d65/45872846980.pdf
    • https://uploads.strikinglycdn.com/files/44c0063f-5f06-4704-8729-f1c7a136d899/gopemomumukadite.pdf
    • https://uploads.strikinglycdn.com/files/f8749ca1-9c33-40be-b5d8-3bb9d536d09d/tanakexedamuzubadidoba.pdf
    • https://s3.amazonaws.com/xezonijida/livanipenosigudoduzusor.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc89.bin
084cc968db7a1b7d9f883e2515193e6c225cfd6fdbadd968d14083a29ece36f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC89 5068 bytes
font_01_sfnt_off0000ddca.bin
ab812fbf4465aa22f33c8fda659c9d3bae4522e9144a7c29269d26563658e9e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDCA 10984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.