Malicious PDF — malware analysis report

Static analysis result for SHA-256 31aac446cd07564a…

MALICIOUS

PDF

58.2 KB Created: 2020-12-08 02:41:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80c0e8a884175d4306cd00787f02fc72 SHA-1: a904e6ba19a0eaaf50f2fa1753e1f60b037e611c SHA-256: 31aac446cd07564a13301b4a5748e6a16d7df7eec752c6e8890c0cf93f1808c7
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm. One of the primary external links points to 'trafftec.ru', and another significant link is to a PDF hosted on 'susevire.weebly.com'. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8225

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?utm_term=air+assault+phase+2+study+guide
    • https://susevire.weebly.com/uploads/1/3/4/8/134885610/napatoduwuredo.pdf
    • https://xalitizamer.weebly.com/uploads/1/3/4/8/134863297/zojosoneragenef.pdf
    • https://zigegawemofeza.weebly.com/uploads/1/3/1/4/131406932/603773.pdf
    • https://patekakedosejot.weebly.com/uploads/1/3/4/4/134479085/9488119.pdf
    • https://cdn-cms.f-static.net/uploads/4404308/normal_5f976d8c25240.pdf
    • https://gabejudunutulan.weebly.com/uploads/1/3/4/8/134887900/jujat.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fc59e4d104edf1d77a14846/t/5fc808f2234f70360a9c75e3/1606945010986/98525631909.pdf
    • https://static1.squarespace.com/static/5fc64f06116eb00e3c70da9e/t/5fca3a60e4017829c17564b1/1607088736628/darevunuvo.pdf
    • https://s3.amazonaws.com/bomifabipi/aradhana_songs_now.pdf
    • https://uploads.strikinglycdn.com/files/7a07ce98-073c-4e70-9863-91f495153bf9/movepusofikoj.pdf
    • https://static1.squarespace.com/static/5fc57e62a8793968642735c9/t/5fcba61421c0486e91992817/1607181846157/35038050712.pdf
    • https://s3.amazonaws.com/pusori/1707624178.pdf
    • https://static1.squarespace.com/static/5fc2b9b8abaecd33182e01d5/t/5fc4fef75147b14804cfb350/1606745847963/samsung_galaxy_amp_2_phone_case.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d561.bin
338bbad256f2834308f86309af219d32cef1a8233d905d034682094835476090		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD561 5444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.