Malicious PDF — malware analysis report

Static analysis result for SHA-256 1294b7873b19a5a6…

MALICIOUS

PDF

61.0 KB Created: 2020-12-16 09:43:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 30bbf9bb543fde1e303c04286183e5b2 SHA-1: e265095a8c893224a6ed45f05e41ef22b7f99030 SHA-256: 1294b7873b19a5a6e961d28d9517805f908207d4864b0446a9afd901dd11ca43
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.007 JavaScript

The PDF contains a large number of external links, many of which are SEO-focused, suggesting a link farm or phishing attempt. The 'Browser extension / update installation lure' heuristic indicates the document's content is designed to trick users into installing malicious software. ClamAV also detected this file as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/strik?utm_term=blue+yodel+number+9+tab PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4392650/normal_5f920c763af99.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413851/normal_5f9a49465f798.pdfIn PDF document text
    • https://federadedeladol.weebly.com/uploads/1/3/4/6/134626130/5538951.pdfIn PDF document text
    • https://zipazoraxegav.weebly.com/uploads/1/3/4/3/134325660/negojunijap.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4455178/normal_5fbb00b2b433e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448549/normal_5fb7f22dc62c6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385021/normal_5fbd6182e1306.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378151/normal_5f96255cd9bcf.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static1.squarespace.com/static/5fc4c3d0a5bc066edfbe5dc3/t/5fd0458dcb6bfe602c4b0d5c/1607484813404/alone_sad_images_hd.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/37df1fce-4d26-427b-8ad6-7fd17906a3e7/zavozitesotinaradig.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0d2f2d26ff1194f734ddd/t/5fc4bb9ce18c5c478e90aea9/1606728604768/what_is_a_claim_of_fact_essay.pdfIn PDF document text
    • https://s3.amazonaws.com/mijedusovineti/54823186845.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33452e62-1d89-48a7-a859-62add3cb1947/76325640580.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/34252e6c-74f2-41a4-89f8-f07264b91484/technical_analysis_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92540170-4dbd-4292-9c28-b730a22d70a4/57971190332.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b132.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB132 5240 bytes
SHA-256: b4aa91ad0356e1c6ac735c9cfaca856706d943dfffd4e85c4eb8979d1de7ec82
font_01_sfnt_off0000c2f0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC2F0 10680 bytes
SHA-256: ed48ded15850487b24733ed71aba8c9132f4626f2e980a970beb53a4a84baee8