PDF malware analysis — malicious · 5a8b93e9f74ddec9

MALICIOUS

PDF

72.7 KB Created: 2021-01-02 00:49:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 305b35b9a5e048796883b4ed57527e50 SHA-1: ebc6dad92852f8c25e962fd3bf4023e6492bec37 SHA-256: 5a8b93e9f74ddec9b31b27bbdf21d8c962d493247af5468b4c6a85596bf7f3a7

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded external links, with one heuristic specifically identifying it as a 'PDF_SEO_LINK_FARM'. The presence of a malicious ClamAV detection and a high ML score further indicate malicious intent. The primary goal appears to be directing users to potentially harmful websites, as evidenced by the URL 'https://trafftec.ru/123?utm_term=the+burning+pigs+divinity+2+without+pet+pal'. No scripts were extracted, but the overall structure suggests a phishing or SEO spamming campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://trafftec.ru/123?utm_term=the+burning+pigs+divinity+2+without+pet+pal
- https://cdn.sqhk.co/muzubasiwu/heghJE5/hitman_2_gold_edition_contents.pdf
- https://papunagaku.weebly.com/uploads/1/3/1/3/131384156/febuzelata-zavaxi-reregu-narixa.pdf
- https://pisubamu.weebly.com/uploads/1/3/0/7/130740412/wufewagisevudezak.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/5e9375a2-4326-4d12-93a4-118f3a572ecf/47184481872.pdf
- https://uploads.strikinglycdn.com/files/18b8f547-1c11-438d-a66d-2f1c621b71d2/56055935668.pdf
- https://s3.amazonaws.com/sugowubuf/dafejexowubimuwer.pdf
- https://s3.amazonaws.com/ziwuvijevo/rinibivoraroxi.pdf
- https://s3.amazonaws.com/fasanag/fozedigomuxunufogunuk.pdf
- https://s3.amazonaws.com/baposivarabuj/adv_14_2019_hssc.pdf
- https://s3.amazonaws.com/jezaxojipevu/microsoft_outlook_calendar_templates.pdf
- https://s3.amazonaws.com/wuzalugiseto/msa_altair_4xr_datasheet.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000de2f.bin` `a213937d90d879a4712f26293ed19db49a983091f9119221feb21832aacc39a3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDE2F	5696 bytes
`font_01_sfnt_off0000f1a5.bin` `9df9be181e03ffd68f2f2f0ac5998ba34b6f90f07fefc8c5aca189a4b6c93dbd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF1A5	10660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.