Malicious PDF — malware analysis report

Static analysis result for SHA-256 67cc4f7c939bf5df…

MALICIOUS

PDF

92.6 KB Created: 2020-11-29 13:46:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: aef22e68b468f99dbc918e34fcccf6e0 SHA-1: 2654d1338eb277c3c8839743da04a89e6b9dd643 SHA-256: 67cc4f7c939bf5df229bc1b5cfc0fabc085f4e5ab1e48f2b4758d766a1328bd6
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded links, with a critical heuristic firing for a malicious redirector. The primary malicious URL identified is 'https://traffking.ru/aws?utm_term=html+string+to+pdf+nodejs', which is likely used to funnel victims to malicious content. The document also contains a large number of links to various domains, suggesting a link farm or SEO poisoning attempt to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8953

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?utm_term=html+string+to+pdf+nodejs In PDF document text
    • https://bevarolemi.weebly.com/uploads/1/3/4/6/134685224/tunafezofamofux-timari-nemimoxafinam-sapepus.pdfIn PDF document text
    • https://fanawilixu.weebly.com/uploads/1/3/1/4/131408209/sibaw-deledosoziza.pdfIn PDF document text
    • https://warakamaluxib.weebly.com/uploads/1/3/4/3/134378328/vejat.pdfIn PDF document text
    • https://bitujidup.weebly.com/uploads/1/3/4/5/134598072/3791f.pdfIn PDF document text
    • https://gekeforoka.weebly.com/uploads/1/3/1/4/131438206/fulofu_miwupat_xojanun.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468286/normal_5faf41e8aff85.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4460233/normal_5fb724727e39d.pdfIn PDF document text
    • https://xojerajap.weebly.com/uploads/1/3/1/3/131384359/zebapesuluboxaj.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://s3.amazonaws.com/muvazi/88085245492.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ac4f8c3-1d10-4c18-ae05-f46ba1ce6362/begasikesiligif.pdfIn PDF document text
    • https://s3.amazonaws.com/tanikanaw/bpss_application_form.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f20e47a-0ef9-4f88-b9c2-145fc9574294/52500499224.pdfIn PDF document text
    • https://s3.amazonaws.com/muwomapotumugi/acetone_chloroform_polar.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bcec5394-8b7f-4686-9210-e2c2cd31f366/bowditch_middle_school_loop.pdfIn PDF document text
    • https://s3.amazonaws.com/vatakefojunib/35862300624.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7584624d-649a-4b33-9a73-8836c26a374b/87396732403.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50356237-40e1-4ac4-851c-7e280a053620/napunebobog.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010f8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F8A 4032 bytes
SHA-256: 9440f71eefa4f59c7a71b16fb0b9f65724f2db68f71ee41650680a98f027c4b0
font_01_sfnt_off00011dfb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11DFB 5188 bytes
SHA-256: f5add98961acafcab45012f69d29a66f6a3b610d366a8d06f73f7308db5196a9
font_02_sfnt_off00012f90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12F90 2656 bytes
SHA-256: ff8289fcab20b7b81f5dc7c47458689637225d7099c48932a46d6898d6123f6c
font_03_sfnt_off00013a95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13A95 4140 bytes
SHA-256: 2a2f73c0ee504ae8509221dab9a50e72e6c400a18e3952d3eee660ba18a0c3b1
font_04_sfnt_off000147bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x147BB 2604 bytes
SHA-256: 5fd53e2058c4f5d98b70161d670f1e42036942552fef68ac845a5e47e2d7f715

Open this report in the interactive analyzer, or submit your own file for analysis.