Malicious PDF — malware analysis report

Static analysis result for SHA-256 750de0c7d49df2a0…

MALICIOUS

PDF

70.6 KB Created: 2021-01-03 13:55:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ddadb9f88ed5895745fd5a53df2a1fce SHA-1: d3d80985d3422cbf3894a07080878752975c82b0 SHA-256: 750de0c7d49df2a02eed76678900255c13c413e909afdaece33b933fc1ea753a
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of numerous external links, including those on disposable domains and a link farm heuristic, suggests a phishing or social engineering attempt to direct users to malicious content. The embedded URL and the heuristic for a disposable link farm further support this attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/aws?utm_term=milestone+tracking+template+excel
    • https://kukanoli.weebly.com/uploads/1/3/4/6/134641169/3a4be587d0a.pdf
    • https://gokulibom.weebly.com/uploads/1/3/4/2/134266198/vesef_zomudo_bixavo.pdf
    • https://cdn-cms.f-static.net/uploads/4366033/normal_5fb9624b74cb1.pdf
    • https://lubagoxojijefam.weebly.com/uploads/1/3/4/5/134514049/jeranumi-fikufu-teniw-gudobelobeb.pdf
    • https://cdn-cms.f-static.net/uploads/4384639/normal_5fb30b00bea06.pdf
    • https://kuvijoxujav.weebly.com/uploads/1/3/4/2/134266993/4867760.pdf
    • https://cdn.sqhk.co/nigulavax/cieqibs/air_raid_siren_alarm_sound_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/jenisozazewubo/webasto_diesel_heater_user_manual.pdf
    • https://s3.amazonaws.com/legesiliv/87268385873.pdf
    • https://uploads.strikinglycdn.com/files/9c0baa53-85ac-4786-b91e-c1faf3e72afb/minecraft_team_extreme_launcher_download_free_1.8.8.pdf
    • https://s3.amazonaws.com/feliso/update_android_mxq_tv_box.pdf
    • https://uploads.strikinglycdn.com/files/f21a3fae-dc42-4e0a-bbb9-778a66bcd8f4/tomidupamifenunavad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cbfa.bin
56f20c5700e07560b90d33580159c86f2931c20bfe0975ee8665ac3c9598dfbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCBFA 5180 bytes
font_01_sfnt_off0000dd83.bin
0c969d2ab851f6b77b40799ba051ca9700cd419cd9eec3943e3e4e41673c75ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD83 10000 bytes
font_02_sfnt_off0000ffc5.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFC5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.