Malicious PDF — malware analysis report

Static analysis result for SHA-256 339abac065dcd828…

MALICIOUS

PDF

71.3 KB Created: 2020-12-14 22:21:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15
MD5: c270253930bea2be83bf7359d09e81e9 SHA-1: 56d8b820d2b39edb88970005742cf036e289344f SHA-256: 339abac065dcd828f0dadc836820c5d06dfaf76fc48783ff38ffc6bd9e90f299
204 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/wb?keyword=android%20root%20folder%20unity PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4368955/normal_5f9d6d95b476e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411490/normal_5fd170880a983.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409826/normal_5fd146a3eb72a.pdfIn PDF document text
    • https://jajewivazag.weebly.com/uploads/1/3/4/4/134491582/96f3f7020.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388413/normal_5f8deb745cfb9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415051/normal_5fd5f2f3586b6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408195/normal_5f9459540531d.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/fenatagazise/spreadsheet_compare_office_2013.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc06ef3116eb00e3c49974f/t/5fc126d5eaf37e3b64c51aab/1606493912034/dumejojamuv.pdfIn PDF document text
    • https://s3.amazonaws.com/solonebosop/update_windows_10_offline_64_bit.pdfIn PDF document text
    • https://s3.amazonaws.com/lolaritemukole/mcdonalds_application_answers_2019.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc130cd8787e879896ddc20/t/5fc5df74a97599144ec4a798/1606803321636/fayette_county_ky_jail_inmates_mugshots.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0fe386b97992eb55c938e/t/5fc1f68e64571256548247e8/1606547087109/51728546731.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbfdc47a13a450babee0d2c/t/5fc5ff9abc819f1cf4a6b5c1/1606811546760/zune_mp3_player_2006.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc51d3bc89e1c4b8fd9e252/t/5fc683b0e18c5c478edd1259/1606845362877/download_elite_swat_counter_terrorist_game_mod_apk.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da3e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA3E 4604 bytes
SHA-256: 2519fa4beef2c1f570c250f248cc7c54a3ab62a8024a1412d5b33ac98d5eda8a
font_01_sfnt_off0000ea02.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA02 11356 bytes
SHA-256: 0b61d74cfd2c053423680b984678f0c2b6fc874d5cc0c7883641d691d37cb3ab