Malicious PDF — malware analysis report

Static analysis result for SHA-256 1448d8d53501f352…

MALICIOUS

PDF

74.8 KB Created: 2020-12-06 02:24:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d0b29baf973452d9f229c9579910c1af SHA-1: a7c6fada60e8551d747f5046a096d79cc4f45882 SHA-256: 1448d8d53501f3527035094b1d7020e4a8179a776c2917dc43a8f0e8cdba4ab0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was identified as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains a large number of external links, many pointing to PDF files, suggesting a link farm or SEO spam campaign designed to direct users to potentially malicious content. The document body, though heavily obfuscated, contains references to 'Arjun reddy breakup song ringtones' and the wkhtmltopdf application, which may be a lure to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?utm_term=arjun+reddy+breakup+song+ringtones
    • https://cdn-cms.f-static.net/uploads/4369769/normal_5fb72379657f3.pdf
    • https://xavilisepu.weebly.com/uploads/1/3/4/2/134235747/5972555.pdf
    • https://static.s123-cdn-static.com/uploads/4414494/normal_5fca25ebe0a51.pdf
    • https://rukuzidin.weebly.com/uploads/1/3/4/5/134517246/80118d7.pdf
    • https://cdn-cms.f-static.net/uploads/4454547/normal_5fa2872f741a4.pdf
    • https://cdn-cms.f-static.net/uploads/4365599/normal_5f871f85ea844.pdf
    • https://pidadilux.weebly.com/uploads/1/3/4/6/134666204/lafomu-fowesutom-dabikituduxun.pdf
    • https://laxigozi.weebly.com/uploads/1/3/4/3/134361341/5129110.pdf
    • https://cdn-cms.f-static.net/uploads/4370077/normal_5f9ef5586450a.pdf
    • https://cdn-cms.f-static.net/uploads/4370071/normal_5f9cc8aec2701.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf4dd79d793648408483a6/1606372823856/stupid_test_2.pdf
    • https://uploads.strikinglycdn.com/files/ff0d4059-7e57-4fce-acfc-5df275401394/57395278984.pdf
    • https://s3.amazonaws.com/pazatuv/mokizozedererox.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b19f.bin
048fb1891f432488516cd811e7b04d68e7d39e548ca3495625137f8fb0c23ff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB19F 6744 bytes
font_01_sfnt_off0000c274.bin
aa5372358103b7cc4ef908374b598f052ee1396b52dcf70fa50afca2ab89f292		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC274 3036 bytes
font_02_sfnt_off0000cf86.bin
706347d17f8072e82bd3a51b3ab947c43ab36e9e6b8992fdb914bfe2b95a6a8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF86 5468 bytes
font_03_sfnt_off0000e23c.bin
fd3976462f627cb399d2e3755572452eb767cd1789d1c64263461660bc066c66		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE23C 10264 bytes
font_04_sfnt_off0001057c.bin
10ae7a4fbc5827eca3bc9db17f6834b346abd083628d2a1846ffe091fb3520f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1057C 16428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.