Malicious PDF — malware analysis report

Static analysis result for SHA-256 47afd3d7abf592ec…

MALICIOUS

PDF

66.6 KB Created: 2020-11-13 06:14:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 601ad6fd4ee57fb31ab6a04e395b4ac2 SHA-1: 13d6b7fe3af48d9963f404445caa0ce45638a648 SHA-256: 47afd3d7abf592ec6c711cbdee6db80b9964c9bcc767fa7bd9aefc95288b8161
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for a link farm and an embedded URL pointing to 'traffnew.ru'. The ML classifier and ClamAV also flagged this file as malicious, specifically as a phishing trojan. While no scripts were explicitly extracted, the PDF structure and embedded links suggest an attempt to redirect users to malicious content, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=detroit+news+auto+reporter
    • https://vominitaxa.weebly.com/uploads/1/3/4/6/134677623/4421793.pdf
    • https://cdn-cms.f-static.net/uploads/4402951/normal_5f9422b03a309.pdf
    • https://cdn-cms.f-static.net/uploads/4388432/normal_5f8e3c90d8fd3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/939cc44b-6e64-440e-887b-b2ddaae801ad/the_legend_of_korra_turf_wars_part_3.pdf
    • https://uploads.strikinglycdn.com/files/fb723a2d-b013-45e2-8e45-28bc6fdd1139/33264760117.pdf
    • https://uploads.strikinglycdn.com/files/67a96f8c-a0be-4d36-972c-08352506d217/55891963652.pdf
    • https://uploads.strikinglycdn.com/files/5e795e29-b326-43f4-8dbf-1d37664e5952/88926325573.pdf
    • https://uploads.strikinglycdn.com/files/b3ed3526-c069-429f-aa3b-8c5a71cf0f68/5240536190.pdf
    • https://uploads.strikinglycdn.com/files/34622aab-4792-4839-ae3c-e90463196add/effective_python_2nd_edition.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c97f.bin
1eead6ea2ffff56e0fa328420b1f3ae5ab55389e63fb26542a84f09d071f8602		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC97F 4872 bytes
font_01_sfnt_off0000da37.bin
71febb6faaf30fd6274a8b94f9e41d8d81530fdc6b65b3510b6c2c55571a7e31		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA37 10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.