Malicious PDF — malware analysis report

Static analysis result for SHA-256 5da6d6f65a6cdabe…

MALICIOUS

PDF

90.8 KB Created: 2020-12-30 23:32:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 937a4fe9c50734cbaff3d1ca58230c7c SHA-1: d6428ae8efbfb9644a167d644e71a0669bd7bc5d SHA-256: 5da6d6f65a6cdabe59613189ef96f6d494ce43955f38305b9e58825b9852cad3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting an attempt to manipulate search engine rankings or redirect users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a malicious document designed to lead users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=conference+call+discussion+topics
    • https://cdn-cms.f-static.net/uploads/4366360/normal_5fdaaff092787.pdf
    • https://padazuvotoj.weebly.com/uploads/1/3/4/6/134687326/6258397.pdf
    • https://cdn-cms.f-static.net/uploads/4376099/normal_5f97dd50efe87.pdf
    • https://cdn-cms.f-static.net/uploads/4365620/normal_5f93d495eacd3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zodererezuzuxi/62693308703.pdf
    • https://s3.amazonaws.com/topipovikapari/sony_android_tv_43_inch_review.pdf
    • https://s3.amazonaws.com/divelikubapiwaj/bee_movie_app_online.pdf
    • https://s3.amazonaws.com/venunamazozuzo/74712019340.pdf
    • https://s3.amazonaws.com/bojafazes/jaxorimub.pdf
    • https://s3.amazonaws.com/dinisemowoge/41726614659.pdf
    • https://s3.amazonaws.com/sazomo/21310195812.pdf
    • https://s3.amazonaws.com/kevava/5_string_banjo_sheet_music.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000120ea.bin
7e70738e4601bd66e741b5d92b0a143b4c0de8656adba4ad8430399f55a8bf93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120EA 5052 bytes
font_01_sfnt_off0001322a.bin
974ab3d8ec7e7ad5bb43961f2c7a7c4b9fcfc0bd168e65c2a41b12b90b801bb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1322A 14164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.