Malicious PDF — malware analysis report

Static analysis result for SHA-256 30502835b4ba2dee…

MALICIOUS

PDF

71.0 KB Created: 2020-12-16 20:18:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1ca31f80d1853b7f04af68e085d5bf5 SHA-1: c30bd1cbea5641099df4c7166fadf00f28aee7f3 SHA-256: 30502835b4ba2deea1c03b6c021c464419d5b85523eaa22057982346de5d976b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan' and an ML classifier indicating maliciousness. The presence of a PDF link farm heuristic and an embedded external URI suggests an attempt to redirect users to malicious sites. While no scripts were explicitly extracted, the PDF structure and heuristics point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=google+run+3+unblocked
    • https://wutosalix.weebly.com/uploads/1/3/4/6/134635680/zafekedoxi.pdf
    • https://cdn-cms.f-static.net/uploads/4475730/normal_5fb87c6d57a45.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sifawekujiki/picsart_photo_studio_apk_2017.pdf
    • https://s3.amazonaws.com/livivuvuwugeb/30929071817.pdf
    • https://s3.amazonaws.com/xufujofaleki/bururaxitusofevasaged.pdf
    • https://s3.amazonaws.com/wixanarer/gozagovibapitadebiginim.pdf
    • https://s3.amazonaws.com/davawina/77056903675.pdf
    • https://s3.amazonaws.com/fedure/hoover_carpet_cleaner_manual_2010.pdf
    • https://s3.amazonaws.com/rewepalazamiso/kiropodotirelemunedir.pdf
    • https://s3.amazonaws.com/xifabilejilab/monthly_calendar_template_for_august_2016.pdf
    • https://s3.amazonaws.com/xukirizugukugi/kundan_bihari_ke_gana_mp4_ing.pdf
    • https://s3.amazonaws.com/xipavir/bls_steps.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dada.bin
ea90f7384c8917d273847d364851c9cbdcc403a361ca6927e0ca55cd6dd738c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDADA 5120 bytes
font_01_sfnt_off0000ec5e.bin
deb707b0c18a65ba0aab1b0caf7bd23407eef30e04a51b615312425129c249ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC5E 10252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.