Malicious PDF — malware analysis report

Static analysis result for SHA-256 3060f046e5d0909c…

MALICIOUS

PDF

73.2 KB Created: 2021-01-19 05:40:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: dc6251e00b1e4b9051f18ff78f173564 SHA-1: 7fb31ef4b2c56c89f337a42d9c61ef3db3670fef SHA-256: 3060f046e5d0909ca0da29061796e116c738187721a692d887f74c17c0e07f1e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many pointing to Weebly and Mozfiles domains, suggesting a link farm or SEO abuse tactic. The presence of a URL like 'traffset.ru' further supports this, indicating an attempt to drive traffic. ClamAV and ML classifiers also flagged this PDF as malicious, likely due to its structure and embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?utm_term=smoked+ham+shank+and+beans PDF link annotation
    • https://buveziketi.weebly.com/uploads/1/3/1/3/131398526/lexajuxuwedupu_gefajinuvuf_nofuwekinafe_pimedi.pdfIn PDF document text
    • https://site-1171564.mozfiles.com/files/1171564/65467501216.pdfIn PDF document text
    • https://site-1178347.mozfiles.com/files/1178347/54068339303.pdfIn PDF document text
    • https://vebuxevofarina.weebly.com/uploads/1/3/4/0/134013543/xetabaxavumojivabusi.pdfIn PDF document text
    • https://site-1176699.mozfiles.com/files/1176699/server_2012_remote_desktop_services.pdfIn PDF document text
    • https://virutabadipepuv.weebly.com/uploads/1/3/1/3/131398083/zapemuxidug.pdfIn PDF document text
    • https://cdn.sqhk.co/baluwofuk/chbDIig/550_cord_knots.pdfIn PDF document text
    • https://cdn.sqhk.co/feduvefas/Oxijjhy/word_trip_luxembourg_puberty.pdfIn PDF document text
    • https://site-1230008.mozfiles.com/files/1230008/45568880208.pdfIn PDF document text
    • https://tupeduwexawagov.weebly.com/uploads/1/3/1/6/131607208/c6b7156f53649.pdfIn PDF document text
    • https://lajonomopizu.weebly.com/uploads/1/3/0/7/130739457/fogofexuse-lorukidojez-migitadovajorem-pazotaba.pdfIn PDF document text
    • https://rilavowa.weebly.com/uploads/1/3/2/7/132740415/furubefanavazuzux.pdfIn PDF document text
    • https://jibajupo.weebly.com/uploads/1/3/1/6/131636806/5e2a22.pdfIn PDF document text
    • https://site-1220367.mozfiles.com/files/1220367/pisepesudiluwo.pdfIn PDF document text
    • https://cdn.sqhk.co/nuroteditu/cSghFgc/lutogogimukime.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/henghuili-files2/66075956429.pdfIn PDF document text
    • https://s3.amazonaws.com/xasovewipeje/vpn_master_pro_apk_premium_version_cracked.pdfIn PDF document text
    • https://s3.amazonaws.com/tofizo/peptic_ulcer_pathology.pdfIn PDF document text
    • https://s3.amazonaws.com/mokuwanibof/apk_mod_menu_games.pdfIn PDF document text
    • https://s3.amazonaws.com/luramamelolem/fifulafuvu.pdfIn PDF document text
    • https://s3.amazonaws.com/jepinebawo/cams_study_guide_6th_edition.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE0E2 5244 bytes
SHA-256: 67d9afa0c6f5ff884f095e1e8e9ba5d232fc3ed461ed9508d4029a8eb184cbcd
font_01_sfnt_off0000f28b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF28B 10752 bytes
SHA-256: dfd372205f72da0566ac585aed5461deb0672b02d6b18698f06dbf8f7e111415