PDF malware analysis — malicious · 5afa06d76b3b8499

MALICIOUS

PDF

61.3 KB Created: 2020-11-10 08:06:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 784b71852f241217d9c87d9699d8efc6 SHA-1: 17ac52bc0a47a64118ab55135331a4952d81610a SHA-256: 5afa06d76b3b8499f1b515aa94e366a7264aad01ec161850427031afde3c59a9

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to Weebly-hosted PDFs, suggesting a link farm or redirection mechanism. The primary URL, 'traffset.ru', is likely used to direct users to malicious content or phishing sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9995

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://traffset.ru/aws?keyword=arkansas+river+education+service+cooperative
- https://gokododilu.weebly.com/uploads/1/3/4/5/134578034/rowefeluziro_sabur.pdf
- https://putigazabikikim.weebly.com/uploads/1/3/2/6/132682718/piruxubowizogoxex.pdf
- https://pasukanat.weebly.com/uploads/1/3/4/4/134474220/denobo_zovideg.pdf
- https://lixaworone.weebly.com/uploads/1/3/1/8/131871871/wakubaxux.pdf
- https://zekasujiminog.weebly.com/uploads/1/3/4/3/134366003/7fab100dd78707.pdf
- https://jurosoke.weebly.com/uploads/1/3/4/5/134529251/4647278.pdf
- https://rozenawaxu.weebly.com/uploads/1/3/4/5/134517597/2b9be.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://s3.amazonaws.com/gewuwasi/innova_3100_firmware.pdf
- https://uploads.strikinglycdn.com/files/40f9acd1-41a5-4404-bf06-377b438dcf07/science_and_development_of_muscle_hypertrophy_download.pdf
- https://uploads.strikinglycdn.com/files/b5f7be8f-c2a3-4102-a316-469d439ab1f1/vejabinetuliloxukemo.pdf
- https://s3.amazonaws.com/potofaw/router_letter_templates_harbor_freight.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b0e5.bin` `e03ed54675c6540aae787794a0375b72acaca6960b6ce983e58c23e0e04ef6fa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB0E5	5148 bytes
`font_01_sfnt_off0000c27d.bin` `b67ba4df3cb935ab2482a30783141d1e001a559af363442ec532294bb1d3811b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC27D	10600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.