Malicious PDF — malware analysis report

Static analysis result for SHA-256 853c8719252becdc…

MALICIOUS

PDF

72.1 KB Created: 2020-12-08 12:31:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b9f868f3d9aae7768d6a00aec04465ac SHA-1: b2954eadfe86d1eadda7b1c07d1d0a34526376fc SHA-256: 853c8719252becdc7e06507a7a8befef0a070c46770147350ec59950ab75199b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many pointing to S3 buckets, which is indicative of a link farm or SEO spamming technique. One of the external URIs, 'https://traffine.ru/strik?utm_term=jang+geun+suk+2020', is flagged as suspicious. The ClamAV detection and ML classifier further support the malicious nature of the file. No scripts were extracted, but the PDF structure itself is used to host and distribute links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8413

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=jang+geun+suk+2020
    • https://cdn-cms.f-static.net/uploads/4369647/normal_5f8ce4e2d96bc.pdf
    • https://cdn-cms.f-static.net/uploads/4390641/normal_5fa14dfeca202.pdf
    • https://pakurematumomu.weebly.com/uploads/1/3/4/7/134764434/d79df1fe627531.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zufaxepixiguxax/ultimate_workbench_plans.pdf
    • https://s3.amazonaws.com/pegebunov/gawaxavamoragevonerovur.pdf
    • https://s3.amazonaws.com/tidigudetefumof/43861900167.pdf
    • https://uploads.strikinglycdn.com/files/de027c12-c1ab-48f2-9c61-27d41fb02290/reading_and_study_workbook_pearson_c.pdf
    • https://s3.amazonaws.com/jajoxulabojaso/bellsouth_net_email_server_settings.pdf
    • https://s3.amazonaws.com/jemisajoda/cop_cam_instructions.pdf
    • https://s3.amazonaws.com/novifamigot/xuzobumo.pdf
    • https://uploads.strikinglycdn.com/files/cace0ba8-94fa-408b-9e11-ff21184c4c99/sodulilimekadopupekolot.pdf
    • https://uploads.strikinglycdn.com/files/630c755e-78f9-4926-b49d-569db6f4a270/webitubibepege.pdf
    • https://uploads.strikinglycdn.com/files/6cd0e819-75a2-423a-bfde-04ff826ba55b/prehospital_trauma_life_support_military_8th_edition.pdf
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c92f.bin
1f4125aa3aa7e245e77549e886f7c4c4b50a1987a76b0a2f4e2ae1ac156e8a95		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC92F 2912 bytes
font_01_sfnt_off0000d39c.bin
f20c599cdd00f0c87c9dd05472797399c40abf18f36d58e78d3a0bb475e833de		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD39C 4696 bytes
font_02_sfnt_off0000e394.bin
98ff60ba4e447c26bc9080c5cb3779f2af757e87805066f66fb430234a51441e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE394 10472 bytes
font_03_sfnt_off000107c7.bin
25bea5b448335c23564653704c4f6c5477daa4b761eb732fa738313325ef7d23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107C7 16104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.