Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ceeca3d59614a14…

MALICIOUS

PDF

61.1 KB Created: 2020-11-13 23:44:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b40aefb31318fe23dcbf95e561a03323 SHA-1: 62340a6485cbf70031c48f035d98bff8f01ce32a SHA-256: 2ceeca3d59614a14b99ece59a574989579f92a24535efb292729fdb74d001c1a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, pointing to various websites. One of these URLs, 'https://traffking.ru/aws?utm_term=best+crossover+suv+2015+consumer+reports', is directly embedded and suggests a lure related to consumer reports. The ClamAV detection and ML classifier further indicate malicious intent, likely for phishing or distributing further malware. No scripts were extracted, but the structure suggests a malicious PDF designed to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5435

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?utm_term=best+crossover+suv+2015+consumer+reports
    • https://vunixumo.weebly.com/uploads/1/3/1/4/131453253/kixakokoxunuri.pdf
    • https://xezojasupaxu.weebly.com/uploads/1/3/4/3/134352535/palawe.pdf
    • https://cdn-cms.f-static.net/uploads/4426682/normal_5f9cb4efb4c7a.pdf
    • https://rikurifijuse.weebly.com/uploads/1/3/4/6/134681474/2743582.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/jitimesolagun/92788090519.pdf
    • https://s3.amazonaws.com/wegemebufojafak/tinipijorala.pdf
    • https://uploads.strikinglycdn.com/files/2ed7e5c3-d5ba-4203-93b1-89af2cb417dc/62882938962.pdf
    • https://s3.amazonaws.com/xipavir/the_odyssey_chapter_questions_and_answers.pdf
    • https://s3.amazonaws.com/rebomedug/nba_live_hack_no_verification.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c2a3.bin
76b8b3aa47490dd94f0106cb443866c683bd3c2b0c9cafdd4c6e682e139a134c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC2A3 5396 bytes
font_01_sfnt_off0000d504.bin
56fde4b03796d1d63e302688e160f8b8d865e73891287e8cf6144cd51ca2cb3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD504 10336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.