Malicious PDF — malware analysis report

Static analysis result for SHA-256 7064b95f54ae12a3…

MALICIOUS

PDF

89.5 KB Created: 2020-12-17 07:00:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-03
MD5: 9dd5c07074e6844eacac14a94f80fa97 SHA-1: bf45f49dd9e238127501228649dfede13438e86e SHA-256: 7064b95f54ae12a39bea319613943ee231841f0f94b43c98ed99594d8fd93e22
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ML classifier and ClamAV detection strongly indicate malicious intent. The primary malicious URL identified is trafffi.ru, which is likely part of a phishing or content-farming operation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?utm_term=cincinnati+bearcats+football+uniforms+2019 PDF link annotation
    • https://dixugoruvaweg.weebly.com/uploads/1/3/4/6/134616472/lupig_burasifevavog_witibomader_tubus.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412900/normal_5f9723a433c5d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4450244/normal_5fbd9ea5366cd.pdfIn PDF document text
    • https://vinofuloro.weebly.com/uploads/1/3/4/8/134850824/sukovipenuzaba_xolemajujogivi_fanezujibujovov.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b688e1cf-fab1-4e29-8905-b30ae74056cd/siwokatuzewupafifenup.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7f7e5d84-8df7-4393-9ce0-650b6f4e5fbc/nalujajapunibiz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a139cd4f-3ead-477f-854e-0e7602b21923/paris_school_of_economics_ranking.pdfIn PDF document text
    • https://s3.amazonaws.com/fuwenoxuzasila/full_form_of_dpi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01e53ca9-65ef-4093-aac1-dc8356b2d324/i_am_a_church_member_chapter_3.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/86967b0a-c53c-4a3b-9b4a-97c7637a70ed/wadelinipomori.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f89806ec-62e5-4de6-ba9e-33bcd25dc080/figikesatukiragefina.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/06609fe1-2ebf-4aae-ba76-58d8c9e36951/get_free_gems_in_yugioh_duel_links.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8c9be292-8797-4bab-8372-65b398cbe5c1/vovifixu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c8b1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC8B1 6588 bytes
SHA-256: b3260a8b27c40a1c9408c40b3dcfb9ec9ded560232013cbc1ca8de37ebb5a831
font_01_sfnt_off0000d92b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD92B 5552 bytes
SHA-256: a8639e4f6e66f026185b0ddcac64b44788706753aa809a69f4b9c68e2271a672
font_02_sfnt_off0000ebec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBEC 15028 bytes
SHA-256: 5f79c3aa2ab39c47d9217004bdf31c549e11a42e66fb7de75f1b197729552a13
font_03_sfnt_off00011a62.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11A62 10876 bytes
SHA-256: 76ce5022e5f6ba27ca652d129596a277faf676d1daab229ff1588015c6a2070a
font_04_sfnt_off00013fb4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13FB4 17432 bytes
SHA-256: 7c11f471d327f77cbb694445fb2fe05a0ac3d5aa029fb21520590555b361292c