Malicious PDF — malware analysis report

Static analysis result for SHA-256 58b47dcb8724ecb7…

MALICIOUS

PDF

88.9 KB Created: 2020-11-21 11:54:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b969c271539ed0c1bb3c314e96878888 SHA-1: 174b979ed0ed8c29ff43b08e3cc018cf5d246085 SHA-256: 58b47dcb8724ecb74feaee5a6326eeafa5ea06df8fb7c513217c519e6dacb020
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, directing users to numerous external URLs, many of which are hosted on disposable domains. The primary purpose appears to be SEO manipulation or directing traffic to potentially malicious sites, as suggested by the 'PDF_SEO_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/123?utm_term=is+cucumber+a+green+vegetable
    • https://cdn-cms.f-static.net/uploads/4474218/normal_5fa9aadfcdf36.pdf
    • https://dujezipiver.weebly.com/uploads/1/3/4/6/134610991/5994205.pdf
    • https://baloxojiregape.weebly.com/uploads/1/3/4/6/134685367/9a31659e.pdf
    • https://luzoxunijasuw.weebly.com/uploads/1/3/4/3/134338954/387eccd8bf5.pdf
    • https://digonowokeke.weebly.com/uploads/1/3/1/8/131856318/bazoliv.pdf
    • https://zukolipiniroti.weebly.com/uploads/1/3/4/4/134494738/030f5b.pdf
    • https://xubidanata.weebly.com/uploads/1/3/4/8/134895671/3774088.pdf
    • https://cdn-cms.f-static.net/uploads/4367300/normal_5f9161a257aff.pdf
    • https://zirufifun.weebly.com/uploads/1/3/0/8/130874679/b26496e1bc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/saxefi/alinea_cookbook_free.pdf
    • https://s3.amazonaws.com/pasawexawinogad/39645779068.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc7f.bin
b2eb716f9f1f9b32722e1ea04f9b39d21e8999039eb4c7f2f5ede24790997a64		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC7F 6444 bytes
font_01_sfnt_off00010c6f.bin
7cacda6c8e705799e6d0c944ed80cda45a5d2e0644f8a2d738fb06666a080756		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C6F 5256 bytes
font_02_sfnt_off00011e3f.bin
f0034bca22508846089b866b847b55b1bd848f6142f4166f95621d60a3759f91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E3F 12396 bytes
font_03_sfnt_off00014786.bin
0bbd385887db5074fbd87256d70f98a882c9353f1362fd6c1377f0ce146e0394		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14786 6084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.