Malicious PDF — malware analysis report

Static analysis result for SHA-256 0cc3664139a679fb…

MALICIOUS

PDF

74.0 KB Created: 2020-11-25 19:01:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a67e19a581014fb20cecb37d35c77db SHA-1: db5dd2742a29dc285d6eb62c21962f9fea60cf8b SHA-256: 0cc3664139a679fb80b836327f9632840a82417220581f51386d6d97c043a765
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by multiple heuristics and a machine learning classifier, and is also detected by ClamAV as Pdf.Phishing.Trojan. The file contains a link farm with numerous external PDF links, including a primary URL pointing to 'https://traffnew.ru/aws?utm_term=bollywood+songs+2019++zip'. This suggests the document is designed to redirect users to potentially malicious content, likely for phishing or malware distribution. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=bollywood+songs+2019++zip
    • https://gemaxudemaxepeb.weebly.com/uploads/1/3/1/0/131070646/2ce09bf0ca48.pdf
    • https://mepuralomelefaz.weebly.com/uploads/1/3/4/4/134494325/vixopigosupemozosafu.pdf
    • https://cdn-cms.f-static.net/uploads/4450043/normal_5f9fbf150355c.pdf
    • https://bizetuxerupa.weebly.com/uploads/1/3/0/8/130873791/vodetoxu-pavazala-besojaletizi-tiviwunaxix.pdf
    • https://pitadamep.weebly.com/uploads/1/3/4/8/134886808/ralobepapilofozip.pdf
    • https://cdn-cms.f-static.net/uploads/4366042/normal_5f8717914b9c5.pdf
    • https://gejizataki.weebly.com/uploads/1/3/3/9/133997606/7579488.pdf
    • https://pusazaninad.weebly.com/uploads/1/3/4/3/134358808/jovebapezulazid.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/0f5d93e2-8f63-4d17-8cc6-5426719ab686/87451726876.pdf
    • https://uploads.strikinglycdn.com/files/79a9c64a-c181-4d64-8c41-32c0f167f948/a_national_strategic_narrative.pdf
    • https://uploads.strikinglycdn.com/files/9ce62e25-9fbd-498f-99a3-8f8669208391/gikutakatu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ae99.bin
1f07cb095a1f1ef6c2a945f8af4fb73110886b6c98a6a5803db40d7ea6ecda23		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE99 2976 bytes
font_01_sfnt_off0000b93f.bin
fd87543a1784057343f7fcfcdca5e2d7e2fada6a75b28a7df71e3d401b9f1bff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB93F 5188 bytes
font_02_sfnt_off0000caff.bin
f0eb259151a5f78070078825467788eb26f09c7f35940572c4e6351a5a26af2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCAFF 6816 bytes
font_03_sfnt_off0000dd33.bin
041a27f88bdee5f2fb96f07b4cb49c5d5234833556bb6994db92bde028da664c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD33 9756 bytes
font_04_sfnt_off0000fea7.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEA7 4324 bytes
font_05_sfnt_off00010ca7.bin
f5e6fda8c2c0a7dc3b86c9ef5039983efc5d0c642ade52f64682ad56d62c0281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CA7 3384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.