Malicious PDF — malware analysis report

Static analysis result for SHA-256 0af8f72fd5455ee2…

MALICIOUS

PDF

63.6 KB Created: 2020-11-11 13:05:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8ac4852c2310ef93c1ba49dfde2e5157 SHA-1: 189f52c94819b38d956dcd3f1e687f3df84b754a SHA-256: 0af8f72fd5455ee2ef9af8f1e9911d095c21da8c897b7cd249b02305c0e6e366
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of a large number of external links, including one pointing to 'traffine.ru' with a 'download grab app' keyword, suggests a phishing or malware distribution attempt. The PDF structure itself appears to be generated by wkhtmltopdf, and the document body contains garbled text, further supporting the idea that the content is not meant for direct user consumption but rather to facilitate malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/123?keyword=download+grab+app+for+windows
    • https://sirawomaperuli.weebly.com/uploads/1/3/1/3/131398091/9983420.pdf
    • https://ponixojezunuto.weebly.com/uploads/1/3/0/9/130969897/77073f35b67ce.pdf
    • https://nonuvatemex.weebly.com/uploads/1/3/4/4/134443968/mapez.pdf
    • https://fijojonibiw.weebly.com/uploads/1/3/2/6/132681787/8279107.pdf
    • https://vevejeda.weebly.com/uploads/1/3/0/7/130776099/9009541.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gezejoputiwinu/88817026951.pdf
    • https://uploads.strikinglycdn.com/files/6fc919f1-9f73-40af-8633-65bb8e71cddd/gemowuvidadabijogo.pdf
    • https://uploads.strikinglycdn.com/files/e4b5b7d2-d2d8-4cb1-a65d-c22d765184ec/xetifula.pdf
    • https://uploads.strikinglycdn.com/files/60f3624f-b2d2-4c58-832b-a2d81461438b/fallrim_tools_resaver.pdf
    • https://uploads.strikinglycdn.com/files/0c1e7f51-52fb-4e4f-9718-575f0d65a392/76123627665.pdf
    • https://uploads.strikinglycdn.com/files/aa31d401-addd-44ae-814c-bf4a5a2a2445/pedicabs_central_park_nyc.pdf
    • https://uploads.strikinglycdn.com/files/c247b257-d2df-4724-ab0b-efa1f6655ffd/graph_inequalities_number_line_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/fd71a8c0-ae10-4989-95cf-5e39f80890c0/zolosogerigufemuvam.pdf
    • https://s3.amazonaws.com/vavapekadoliti/mega_filmes_series.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bc72.bin
4d3db37a0ec776ea37325141d5b2421d83f3831b22e32cf2511de80a2025bbdd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC72 5440 bytes
font_01_sfnt_off0000cf1b.bin
b50f3baa78abc4762d2f937c4068ed598dcffa03490f6fbcdf824808e247d842		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF1B 10136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.