Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c2d83730a85c08c…

MALICIOUS

PDF

80.5 KB Created: 2020-11-18 13:34:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bf00f1a445c1be756d978461a4456ff SHA-1: 1dbb608d9608721082cd9713eb9414f40498fa9e SHA-256: 6c2d83730a85c08c5d6523cf956fed0141d3e1db6db828b67c5c0c81bdcb9cf8
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many hosted on disposable domains, suggesting a link farm or SEO spam campaign. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as phishing. While no scripts were directly extracted, the PDF structure and numerous external URLs point towards a phishing or malicious redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=inscribed+polygons+in+circles+worksheet
    • https://kopepadozuko.weebly.com/uploads/1/3/4/5/134505487/9620989.pdf
    • https://cdn-cms.f-static.net/uploads/4369772/normal_5f8aa0972643f.pdf
    • https://biwugina.weebly.com/uploads/1/3/1/1/131163984/5386213.pdf
    • https://wiruwopifezub.weebly.com/uploads/1/3/4/3/134345133/mijejo_xisina.pdf
    • https://lokenomosotim.weebly.com/uploads/1/3/4/4/134499182/waten-xoseno.pdf
    • https://takaranedo.weebly.com/uploads/1/3/4/0/134017801/xales_nijabi_kekin_pejulezuv.pdf
    • https://bajusumuke.weebly.com/uploads/1/3/2/7/132741128/4318541.pdf
    • https://winomumamo.weebly.com/uploads/1/3/1/0/131070375/4fdee7971.pdf
    • https://cdn-cms.f-static.net/uploads/4368751/normal_5f9370c0cdc98.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.thdl.org/http://www.thdl.org/Tibetan
    • https://s3.amazonaws.com/somisilegex/brahmanic_tradition.pdf
    • https://s3.amazonaws.com/juzalizuvar/apc_back-_ups_750_software.pdf
    • https://s3.amazonaws.com/ditiruz/itil_continual_service_improvement_plan_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.htmlTibetan
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c8fc.bin
82559e3905b9c6113f5da5e7b39f9f0d6c25ef6ecffb6676f81c2e69b206e03f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC8FC 2388 bytes
font_01_sfnt_off0000d36d.bin
9d28d26dc13869aa252e63120aca8f9708bb8b6a708bdeb51f9a849c0eae4f78		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD36D 5460 bytes
font_02_sfnt_off0000e615.bin
b31d161f5bfc3e8e7dba903abe8a9fdd68bef64beecc0c78f8d4e3740a8fd419		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE615 8544 bytes
font_03_sfnt_off0000f6a5.bin
f5f06aa6b14b7e4f0b3f4ff050d62f4ef74cd7ed6a1142fbb47c8410e8197c87		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6A5 11724 bytes
font_04_sfnt_off00011e91.bin
496f0989ddfc8e91cdad78cb8a2fe9e9f82b4be740bc113ee5fc35f38148d852		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E91 16260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.