Malicious PDF — malware analysis report

Static analysis result for SHA-256 1339baf5f792946f…

MALICIOUS

PDF

91.0 KB Created: 2020-11-19 09:41:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7e63de7952c88bafa7a93e477fd3cbd9 SHA-1: 0d79fd966afea3c4566fc6f586318ef912116cff SHA-256: 1339baf5f792946f02d2008ed686356fb638a5705d3301deb13860b7c39cd5d6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or redirection scheme. The ClamAV detection and ML classifier further support its malicious nature. While no scripts were explicitly extracted, the PDF structure and URI heuristics suggest it is designed to redirect users to external content, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8717

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=mrityunjay+kadambari+pdf+free
    • https://xuposebifaperep.weebly.com/uploads/1/3/4/6/134673232/4577888.pdf
    • https://tojopuxibo.weebly.com/uploads/1/3/4/2/134265943/d67fb5ecaef139c.pdf
    • https://sajesugepila.weebly.com/uploads/1/3/4/4/134467456/6954129.pdf
    • https://botubadixebom.weebly.com/uploads/1/3/1/4/131407995/lukebarobeguma.pdf
    • https://tusejefil.weebly.com/uploads/1/3/4/3/134320171/6584771.pdf
    • https://zigudufojivop.weebly.com/uploads/1/3/4/7/134718002/burazisof.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c03e8da8-403b-4312-941f-93b8a5e9f2f2/zejosigizudilujamidu.pdf
    • https://uploads.strikinglycdn.com/files/0da68027-0149-4f85-8856-ac6a9a43563a/yamaha_rx_a850_manual.pdf
    • https://uploads.strikinglycdn.com/files/da8b79da-9571-46a5-8b56-12321f0c6c98/mapalikaxotowapi.pdf
    • https://uploads.strikinglycdn.com/files/b6505c4b-ad06-4486-89e8-0d0c84c43f65/wrong_mp3_download_by_luh_kel.pdf
    • https://uploads.strikinglycdn.com/files/181abf10-1d1b-41e8-b566-b3e5a5d65b40/55738694934.pdf
    • https://uploads.strikinglycdn.com/files/97c99564-28ad-440f-aafc-1457e373fa9a/programar_control_de_directv.pdf
    • https://uploads.strikinglycdn.com/files/afffdec1-b24f-45fd-a08f-e3cc3d6b5185/27171575050.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012dbc.bin
00819763233ba1b20982e49aaa8cef020e924fbdb0a744617989df793cd12bed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DBC 5364 bytes
font_01_sfnt_off00013ffd.bin
3f404eaba19bd0d3a09dfe7187fb7c85d95ce68693c15158ced43a8b0b4e2761		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13FFD 11504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.