Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f06988265d2c388…

MALICIOUS

PDF

79.3 KB Created: 2021-01-17 15:49:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 356678cb464bcc54bf8c42897b5ef6af SHA-1: 902fa964576ba555fd0dd2136e610691c183b836 SHA-256: 6f06988265d2c388004868f63e7b9d8324edba8261dacc3d19bc78ecba56a8b3
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, including a link farm, suggesting a phishing or SEO poisoning attempt. The heuristic 'SE_BROWSER_INSTALL_LURE' indicates the document likely prompts the user to install something, which is a common tactic for malware delivery. While no scripts were directly extracted, the presence of external links and the ML classification strongly suggest malicious intent, likely to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/aws?utm_term=computerized+accounting+system+free
    • https://static.s123-cdn-static.com/uploads/4427498/normal_5fcbb8911a73d.pdf
    • https://site-1172290.mozfiles.com/files/1172290/eclipse_tomcat_java_heap_space_error.pdf
    • https://cdn-cms.f-static.net/uploads/4421940/normal_5fbc6439872f4.pdf
    • https://puperoriwob.weebly.com/uploads/1/3/4/7/134715375/xorasabagogawe_wuwenegum.pdf
    • https://site-1172290.mozfiles.com/files/1172290/dinegonolafa.pdf
    • https://site-1216718.mozfiles.com/files/1216718/20318320599.pdf
    • https://site-1187779.mozfiles.com/files/1187779/17523770618.pdf
    • https://static.s123-cdn-static.com/uploads/4420459/normal_5fed5f8ba6465.pdf
    • https://site-1166625.mozfiles.com/files/1166625/google_local_guide_perks_redeem.pdf
    • https://cdn-cms.f-static.net/uploads/4424347/normal_5fd614f4beebe.pdf
    • https://cdn-cms.f-static.net/uploads/4392854/normal_5f8f21fef05bb.pdf
    • https://site-1180826.mozfiles.com/files/1180826/lucky_songs_mp3.pdf
    • https://cdn-cms.f-static.net/uploads/4468819/normal_5fb470db76407.pdf
    • https://site-1174611.mozfiles.com/files/1174611/zalikewupalubol.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tomaxade/discount_tobacco_store.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6eb.bin
0670f1917eb7b60bea53bf29ab7da49002ea46a91af3aeb5528f9993b101aa0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6EB 5500 bytes
font_01_sfnt_off00010999.bin
766185c112a21a02df6d8297bd692027b59248151a70470c95bf1d476587a4d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10999 11292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.