Malicious PDF — malware analysis report

Static analysis result for SHA-256 1519d14d2e1caed7…

MALICIOUS

PDF

67.6 KB Created: 2020-12-18 11:47:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6b0658b9bc79aff80df2a3f8ddc9aeb SHA-1: 2f1ef5addb2d08ac8be8fc2a31ac3add952239d0 SHA-256: 1519d14d2e1caed7d95c77e55e8907e5122d0f6dd60181d0123bc029452695bd
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for link farms and phishing campaigns. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, with one pointing to 'https://traffnew.ru/aws?utm_term=citroen+c3+2017+user+manual'. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9360

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=citroen+c3+2017+user+manual
    • https://gesemobi.weebly.com/uploads/1/3/0/7/130738939/gevivewulij.pdf
    • https://jopalezaleloloj.weebly.com/uploads/1/3/1/3/131380469/1643183.pdf
    • https://lotagixowila.weebly.com/uploads/1/3/1/1/131164100/4863488.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/pajeriramal/iti_admission_form_2018_up_date.pdf
    • https://uploads.strikinglycdn.com/files/1c1c012f-090c-4705-bcaa-4016587f63d2/81973228665.pdf
    • https://s3.amazonaws.com/rurosaveruk/coliformes_totales_nom-_113-_ssa1-_1994.pdf
    • https://s3.amazonaws.com/pilazi/nolelesiwogubanopip.pdf
    • https://s3.amazonaws.com/dutuzanob/vufun.pdf
    • https://uploads.strikinglycdn.com/files/c7087bd4-c3c3-4a6d-be5a-493035d2d0f1/training_ground_walking_dead_road_to_survival.pdf
    • https://s3.amazonaws.com/bubeto/9314288233.pdf
    • https://static1.squarespace.com/static/5fc4c3ca116eb00e3c64bc56/t/5fc5c2a13c6ccf69f326d49c/1606795937824/town_of_bristol_ri_public_works.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb7d.bin
39d3fcb8d4373493f2dd114acc7804496c717fc7b5a4aedfbab0259b82a97897		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB7D 5420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.