Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b9affe826e84372…

MALICIOUS

PDF

79.0 KB Created: 2020-11-30 23:44:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: 87d119cb90f5e5efac03bf19de4e10b6 SHA-1: e521eb8082be89be946580627ffcc3f38d3351c5 SHA-256: 3b9affe826e84372b3016177959e44de7ab8fc6c669ca7411f01e95d512779a6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which are to benign Squarespace domains, but one points to 'trafffi.ru', suggesting a link farm or redirection scheme. The document body, though truncated and partially garbled, contains text related to 'Disgaea 4 character list' and 'wkhtmltopdf', indicating a potential lure to disguise malicious intent. No scripts were extracted, but the PDF structure and link farm heuristic suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9329

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?utm_term=disgaea+4+character+list PDF link annotation
    • https://bizexolarosazar.weebly.com/uploads/1/3/4/8/134882522/wikugomivav.pdfIn PDF document text
    • https://vepazigomopu.weebly.com/uploads/1/3/4/3/134398405/jekazixoz_wateze_dozoramax_pezelu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://static1.squarespace.com/static/5fc168c927a199023ab8f22b/t/5fc38762173fb5383b109be1/1606649698570/xeminixudetezonubuvuzasak.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd1c3643516d6aa83e0ca2/1606229049253/sasufikuremob.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe2c10f81c9a2a0c6c2f48/1606298644874/3198686176.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc1366588c99b6d37a92994/t/5fc353894e98326c027b70af/1606636428779/rawuturigewurotir.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0e627116eb00e3c4beed8/t/5fc1c246e18c5c478e3cf3ae/1606533709523/fewilamego.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe0871f8cdb769c6aa423e/1606289522654/81613734592.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0c3d560f2895dc1e72903/t/5fc379d7e18c5c478e681884/1606646231780/char_griller_3001_review.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd1060dae50a014589dcef/1606226017219/322278720.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0e552ec917750a3d7e003/t/5fc175314f9837572016c805/1606513969375/5184518840.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/67d62fb3-2a2e-429b-bd50-71b5a0a39289/identifying_prepositional_phrases_as_adjectives_and_adverbs_quiz.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf69cd61e25426e1312126/1606379983126/mint_delete_duplicate_account.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011ac9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11AC9 5312 bytes
SHA-256: 3395b43ddf7b22486b820b8fc45255c009814439a1f8028741c56f60821c65b9
font_01_sfnt_off00012cff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12CFF 4720 bytes
SHA-256: bcd6d42d4b08ff7ebd1f89ed7b2401fa73aa6711bd2b505d9d3b293cab2eb9b8