Malicious PDF — malware analysis report

Static analysis result for SHA-256 296970433ec75c84…

MALICIOUS

PDF

66.6 KB Created: 2021-01-10 09:20:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 951a1969a56b7860d9cbfc5c5b4e33fc SHA-1: ce43a21a0e161aa288b0b7a5195a796c2e47312c SHA-256: 296970433ec75c8441b9b4de8966a6b61d4d4de8d16c7a0bcbeaf5a5c3182f8f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are hosted on disposable domains, indicating a link farm or phishing attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and heuristic firings point towards it being used to redirect users to malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8721

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/aws?utm_term=self+guided+tours+new+zealand
    • https://ziwivebagojub.weebly.com/uploads/1/3/1/8/131871618/7495817.pdf
    • https://site-1179802.mozfiles.com/files/1179802/49158275707.pdf
    • https://cdn-cms.f-static.net/uploads/4490376/normal_5fad772a85f9c.pdf
    • https://cdn.sqhk.co/numokafas/hfhaalS/kirivijizivepetujagadib.pdf
    • https://cdn-cms.f-static.net/uploads/4424996/normal_5fe8fd6cd3fb0.pdf
    • https://cdn-cms.f-static.net/uploads/4480142/normal_5fa66da108796.pdf
    • https://cdn.sqhk.co/duvapegoleva/0GLAfhQ/datububonikudopedozuda.pdf
    • https://cdn-cms.f-static.net/uploads/4387417/normal_5f9d7bda03186.pdf
    • https://site-1179801.mozfiles.com/files/1179801/tugokoziwewov.pdf
    • https://site-1172210.mozfiles.com/files/1172210/video_converter_icon.pdf
    • https://cdn-cms.f-static.net/uploads/4375507/normal_5fa102a9624ff.pdf
    • https://pukadove.weebly.com/uploads/1/3/4/6/134694451/zewulowo.pdf
    • https://site-1174122.mozfiles.com/files/1174122/shooting_targets_steel_gongs.pdf
    • https://site-1176664.mozfiles.com/files/1176664/50th_birthday_cake_ideas_for_mom.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zebarufuridorur/95310938403.pdf
    • https://s3.amazonaws.com/sevoga/android_file_transfer_not_working_pc.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fcc9.bin
8dcf4f61c6c41000c80269cf9a038a17b659990bba97027e5a8e68cd1429d495		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCC9 5320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.