Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ce48b4623d62293…

MALICIOUS

PDF

64.0 KB Created: 2020-11-24 21:21:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9de1ddd635d72ad2f19178d7cdb10593 SHA-1: da4dcd580c564e325d0477c013e6012fad645ff5 SHA-256: 2ce48b4623d622933b6939ad7d2270afd67f96234256f86f520f13fb8ae56cd0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to PDF files, suggesting a link farm or SEO abuse for malicious purposes. The ClamAV detection and ML classifier indicate malicious intent, likely related to phishing or malware delivery via the embedded URLs. No scripts were extracted, but the PDF structure itself is used to host and distribute links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6292

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=lower+moreland+high+school
    • https://cdn-cms.f-static.net/uploads/4478148/normal_5fb34af31a47d.pdf
    • https://cdn-cms.f-static.net/uploads/4372360/normal_5f8b61d723e23.pdf
    • https://keniwuki.weebly.com/uploads/1/3/1/4/131483234/kopiwu_gotatumeturi_bovejixegas_vivikow.pdf
    • https://cdn-cms.f-static.net/uploads/4369307/normal_5f892125b55c3.pdf
    • https://cdn-cms.f-static.net/uploads/4493917/normal_5fb96a4e4b8c3.pdf
    • https://cdn-cms.f-static.net/uploads/4447253/normal_5fa33436a140c.pdf
    • https://mixodozom.weebly.com/uploads/1/3/4/3/134333910/e213fe3.pdf
    • https://cdn-cms.f-static.net/uploads/4366351/normal_5f8980b38a851.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/dusined/bang_bang_full_movie_1080p.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b912.bin
7533fb06abb4fc43d5bc23671dde0ac3856ce91a98c3501f085f57b56a400396		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB912 5092 bytes
font_01_sfnt_off0000ca33.bin
73e3d2ab01919a685a6a9ba85dcbb7aa05887fb19c8ea7ff6b22d6f97b279a8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA33 11080 bytes
font_02_sfnt_off0000effe.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFFE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.