Malicious PDF — malware analysis report

Static analysis result for SHA-256 4472b5b2948fcdc2…

MALICIOUS

PDF

60.5 KB Created: 2020-12-28 06:30:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88407dddb91ea5fd8a0c5313b67446ac SHA-1: ea5e4ea3447d5633bfb2830df9bd37eced2cd711 SHA-256: 4472b5b2948fcdc286c1d916f782044bbd4b8bf71161f3002cefede6c1cccbb1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one critical heuristic identifying it as a PDF link farm. The primary malicious URL, 'https://traffnew.ru/strik?utm_term=darwin%2527+s+yearbook+game+online', is likely used for phishing or to serve a second-stage payload. ClamAV detection and ML classification further support its malicious nature, indicating a phishing or trojanized PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7994

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/strik?utm_term=darwin%2527+s+yearbook+game+online
    • https://cdn.sqhk.co/saseponirifa/jraibji/77313958813.pdf
    • https://tigibivimibi.weebly.com/uploads/1/3/4/3/134344299/sezogek.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9dee5221-fb29-4cb7-bb2f-658166178923/green_bay_municipal_court.pdf
    • https://uploads.strikinglycdn.com/files/c3f6eb99-7832-4afd-93fb-b1db21724d54/paw_patrol_happy_birthday.pdf
    • https://s3.amazonaws.com/zowejunef/dwarf_hairgrass_care_guide.pdf
    • https://uploads.strikinglycdn.com/files/b0186f9d-6952-49a1-8589-7c6b8f569969/51094162737.pdf
    • https://uploads.strikinglycdn.com/files/4e93a2e6-5589-4f9f-b355-15274e62f4f8/arcade_cocktail_table_control_panel.pdf
    • https://s3.amazonaws.com/vipuxafol/3d_photo_frame_wallpaper_free.pdf
    • https://uploads.strikinglycdn.com/files/4bf5af4e-747a-4ab2-98c4-2cf08e5faa54/two_semi-infinite_grounded_conducting_planes_meet_at.pdf
    • https://uploads.strikinglycdn.com/files/941dfbd2-2be2-44aa-8c06-c8d53c9032d1/download_fifa_14_full_version_pc.pdf
    • https://s3.amazonaws.com/verirejon/9871254694.pdf
    • https://uploads.strikinglycdn.com/files/e8640b3e-c2bc-4f7a-8d13-850fa4c7f0d8/34213640474.pdf
    • https://s3.amazonaws.com/rerinago/kixugokabexamulinuro.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dab7.bin
858f450633f879ae9a10c8edd5b6b396c45457536f8f1d4dbbe4d8432d71752d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDAB7 5436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.