Malicious PDF — malware analysis report

Static analysis result for SHA-256 39cccb74de0e219c…

MALICIOUS

PDF

98.3 KB Created: 2020-12-16 13:02:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 102fdabbfaffbb4425cde816ed5582c8 SHA-1: 14ffdfc23feaca3e403a0b81be8a5f7fbfbd9ead SHA-256: 39cccb74de0e219c6a6dbfc202e50798f21a1fc30fdd383776cb71971ff0196e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, many of which point to PDF files hosted on various platforms, suggesting a link farm or SEO manipulation tactic. The primary URL, 'https://traffking.ru/123?utm_term=what+does+corroborate+mean+in+english', is presented as a search result, aiming to trick users into clicking. While no scripts were explicitly extracted, the PDF structure and the presence of numerous external links are indicative of malicious intent, likely to drive traffic or host malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=what+does+corroborate+mean+in+english
    • https://soxajerufoxizas.weebly.com/uploads/1/3/4/8/134880654/5906304.pdf
    • https://dudabiwik.weebly.com/uploads/1/3/4/3/134354119/xuvase.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://www.opentle.org
    • https://static1.squarespace.com/static/5fc0f0de5bcb0228a282afe8/t/5fc136859d79364840b98690/1606497926105/stick_it_to_the_man_trophy_guide.pdf
    • https://static1.squarespace.com/static/5fc2991b1452f90b7ff011dd/t/5fc6902eeaf37e3b6481833e/1606848558986/2506998415.pdf
    • https://static1.squarespace.com/static/5fc2814ec89e1c4b8fc8ad60/t/5fd1fe05ad61ab58318f437f/1607597573835/ludo_king_pc_setup_download.pdf
    • https://uploads.strikinglycdn.com/files/741e5219-38d5-4d01-a494-b1823176e9e6/42618369420.pdf
    • https://uploads.strikinglycdn.com/files/ac30822c-68aa-429e-bb59-032e8a1887b3/senatutoxilopijira.pdf
    • https://static1.squarespace.com/static/5fc5c2e58ef7301f8b324c67/t/5fd745e089566e781f6af827/1607943649399/free_funny_christmas_card_templates.pdf
    • https://static1.squarespace.com/static/5fc4c1dc0b6b03258f4e1bb4/t/5fd66c5edca2215260433fe2/1607887967509/kalaxa.pdf
    • https://uploads.strikinglycdn.com/files/7af58cf9-853f-4a25-8048-2264a810f632/vaterozibufaneginusi.pdf
    • https://static1.squarespace.com/static/5fc51c99c6d96458363d5195/t/5fcca9da5d2e6f3bda38897b/1607248346170/the_mask_scary_horror_game_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00014e59.bin
9a53eb0f5d899206140142024e1329928d04523b9b037af6ea44b3d64dff0b7c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14E59 18176 bytes
font_00_sfnt_off0000cf5d.bin
f5bc79bcccde96e0b4577828538fe8bd22d5ca5975fd0c5948118d00e10227d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF5D 5588 bytes
font_01_sfnt_off0000e2ec.bin
326436fb358f0d28a2b677feb9a6cf1fb6cebaedee29a61f59e7114fa2c51cb5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2EC 5508 bytes
font_02_sfnt_off0000f57f.bin
dbaab8dcf32bfe64cb008f34eb54f5316f62236e8dffe3de49b44225404383a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF57F 2656 bytes
font_03_sfnt_off00010083.bin
864cbe2c6973b44d2b71e19ffbffb2328dcb3759b07ceb43c11d5a372fc4956d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10083 2328 bytes
font_04_sfnt_off00010b39.bin
d117309382da938f7dffedc42f90dd4217b4d540d75629b80669d975ecbc171e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B39 2108 bytes
font_05_sfnt_off00011504.bin
538512be6c526ea957b587fa229624d829dca4873b622d187784a60d2c877fcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11504 6640 bytes
font_06_sfnt_off000126a2.bin
95820959da448123bc4427dfb3b5220b378568a16b32cc4ea5c2d12ed4a22b0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126A2 11844 bytes
font_08_sfnt_off00016b25.bin
c12c670e310cd2dd0f4b1ea6ea0d01ef35e1284caa1cfc967b978b02bd897c09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16B25 3276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.