Malicious PDF — malware analysis report

Static analysis result for SHA-256 86ef63ecb1393de0…

MALICIOUS

PDF

57.4 KB Created: 2020-11-27 00:06:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ddf484c80d6a652ccfb15f5d81e4e5be SHA-1: 1edf89c692f050de0968c1356936976e951ce9bc SHA-256: 86ef63ecb1393de01d18689cc2438f26d49f468b5963e74ff8926a62ae3348f1
236 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier. The heuristics indicate it functions as a link farm and employs social engineering tactics, specifically a 'Browser extension / update installation lure' and a 'Password-protected archive handoff' pretext. These tactics aim to trick the user into downloading and executing further malicious content, likely by directing them to external URLs that host malicious payloads or exploit kits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/aws?utm_term=lagu+lily+dangdut+new+rossita
    • https://cdn-cms.f-static.net/uploads/4369163/normal_5f8dfdeb4225e.pdf
    • https://zeginuvo.weebly.com/uploads/1/3/0/7/130775519/lobal-kukifusovi.pdf
    • https://cdn-cms.f-static.net/uploads/4366004/normal_5f9c46789aa23.pdf
    • https://cdn-cms.f-static.net/uploads/4370768/normal_5f884480be293.pdf
    • https://cdn-cms.f-static.net/uploads/4409254/normal_5fa50f3b95dd6.pdf
    • https://petavigavixate.weebly.com/uploads/1/3/4/4/134459614/rabamedi.pdf
    • https://cdn-cms.f-static.net/uploads/4366024/normal_5f8a7d1153eca.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b7b52648-55d6-4512-b202-8669c4bd75f1/38228239182.pdf
    • https://uploads.strikinglycdn.com/files/d4baf5ce-6a9d-46bb-8663-e28b069b28a6/once_upon_a_time_prince_charming_twin.pdf
    • https://uploads.strikinglycdn.com/files/4f9f9263-5d02-4d28-8024-a603cbdb10a7/26205511336.pdf
    • https://uploads.strikinglycdn.com/files/37972e2e-a312-4dae-94dd-66d3a88d9dfe/ley_180_laboral_puerto_rico.pdf
    • https://uploads.strikinglycdn.com/files/84b78abe-3d2e-4dd0-9ebb-984a2380fd7d/58782206757.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a8f5.bin
7a538190e7a9a985aa3c81133e4e4219424f028af388c6eef7bdac48dff8dd9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8F5 5128 bytes
font_01_sfnt_off0000ba90.bin
1d386cfb5d57b25272dd2cde62c49a5c43c1b55ed4a9fa74f4f5fd4a99c8f476		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBA90 8944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.