Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d6e73d9b65614e1…

MALICIOUS

PDF

68.6 KB Created: 2020-12-02 12:49:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1811862c750507ecd205e063c19fd227 SHA-1: e3458a22b6442ea29058f5bf5eb9f6fbf575b653 SHA-256: 5d6e73d9b65614e1725fbca54d8f764bc842dc8de65e030cdca62e70abc20d79
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by multiple heuristics and a machine learning classifier, with ClamAV detecting it as a phishing trojan. It contains a mass of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to malicious sites. The primary URL observed is 'https://traffset.ru/strik?utm_term=lol+dodge+game+skillshot', which is likely part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=lol+dodge+game+skillshot
    • https://cdn-cms.f-static.net/uploads/4370278/normal_5f8949f043d52.pdf
    • https://menerixejujup.weebly.com/uploads/1/3/4/6/134605313/vewiz.pdf
    • https://weduzoviduluwiz.weebly.com/uploads/1/3/4/3/134385862/mukodunas_fizusex_ruxeg_zakuvazigin.pdf
    • https://jiwalevimube.weebly.com/uploads/1/3/4/8/134870165/zunenokaf_vewuzomadovev_vuguki.pdf
    • https://cdn-cms.f-static.net/uploads/4403413/normal_5fb5392fe8145.pdf
    • https://cdn-cms.f-static.net/uploads/4367656/normal_5f87f40336e47.pdf
    • https://xazojitov.weebly.com/uploads/1/3/1/4/131408465/301de4db5cf050.pdf
    • https://moxitasa.weebly.com/uploads/1/3/1/4/131454719/aee6713.pdf
    • https://xotukejurivaj.weebly.com/uploads/1/3/4/0/134016857/3a96e90a3a.pdf
    • https://sanokigoj.weebly.com/uploads/1/3/4/8/134863934/a060e7.pdf
    • https://nugaginidej.weebly.com/uploads/1/3/4/4/134475369/db999700f5.pdf
    • https://bulireta.weebly.com/uploads/1/3/4/7/134727307/3210378.pdf
    • https://povobaza.weebly.com/uploads/1/3/4/3/134383372/nigare.pdf
    • https://mipirizu.weebly.com/uploads/1/3/2/6/132682564/224dd11e.pdf
    • https://pulepuvoko.weebly.com/uploads/1/3/4/2/134266128/b04855be47a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c35d.bin
16a0685b1af8f7ff3286410c82d065b2ef9dd16f5cc5e004aadb0dd239daad33		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC35D 3120 bytes
font_01_sfnt_off0000ce90.bin
f0f6729d94ee7799bcc64652edb017099fd4ca72a847d08e15d81ce2899324d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE90 5148 bytes
font_02_sfnt_off0000dff3.bin
fc64cde593dd6822a318f23fd72f7cb30fbee7fbc56d44f4fec8c4bec97ea66a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFF3 11752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.