Malicious PDF — malware analysis report

Static analysis result for SHA-256 8695d2107e45a303…

MALICIOUS

PDF

107.0 KB Created: 2020-11-14 12:14:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 4a6f872e379fde47099e0318be7127c1 SHA-1: 9076093c0be7c4d7fcf23ddd611aae46c71369c7 SHA-256: 8695d2107e45a303e39329395a3a75924d8daf22e66eb185fb9152a456038336
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and routes users through malicious redirector infrastructure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?utm_term=ryujin+jakka+translation In PDF document text
    • https://cdn-cms.f-static.net/uploads/4450421/normal_5fa000b4d1e49.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4392193/normal_5f95d7e5ef48c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371809/normal_5f8b96687545d.pdfIn PDF document text
    • https://daletapobuwero.weebly.com/uploads/1/3/4/6/134666872/soxuz-nafif-sitoteku.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370987/normal_5fa9008896a3b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/leguvefu/37489838387.pdfIn PDF document text
    • https://s3.amazonaws.com/voropa/gabby_mckenzie_andy_wilson.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ff29f1d-ba34-482a-87af-306bcb6ff184/waxavakofep.pdfIn PDF document text
    • https://s3.amazonaws.com/ravuxudibure/flo_rida_whistle_lyrics_english.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c15483ff-7cd7-426a-9204-adc4acfbe066/mcoc_act_5.4_guide.pdfIn PDF document text
    • https://s3.amazonaws.com/wegemebufojafak/26855028141.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001476f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1476F 6124 bytes
SHA-256: fec6a80aab7fa72478fb3c35936d7f07d7210ae8d2918a382384f0646f104f75
font_01_sfnt_off00015cbc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15CBC 4928 bytes
SHA-256: dd08020ab410c6dd454e388ad494aa4ff2067c2fef8409e951506e50c1814061
font_02_sfnt_off00016da0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16DA0 16568 bytes
SHA-256: 47527a46c5f53e5be6e87e0b71ebe09a507da17a0eaa8c6bf76ef3d11da067d8