Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b0414393dd1200d…

MALICIOUS

PDF

69.9 KB Created: 2020-12-15 03:59:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b8c0e7b430a90b00a709f0b98db941e SHA-1: d67246c0845d16cd370e895784fb9324d68a6a02 SHA-256: 8b0414393dd1200d694f27a6afec359dd9043cfd4d870ee5f49609b116a19449
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains numerous external links, many of which are part of a link farm, and is flagged by a machine learning classifier and ClamAV as malicious. The 'SE_CALLBACK_LURE' heuristic indicates the document's content is designed to trick users into calling a phone number, a common tactic in phishing and tech support scams. While no scripts were explicitly extracted, the PDF structure and heuristics suggest it may exploit vulnerabilities or redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/123?utm_term=chase+near+me+open
    • https://cdn-cms.f-static.net/uploads/4379032/normal_5fa6b47865ed4.pdf
    • https://sisodiwitamusoz.weebly.com/uploads/1/3/2/6/132681746/425989.pdf
    • https://jedifubebevaze.weebly.com/uploads/1/3/4/8/134873515/megokuvotalasisebege.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/4c1d1b19-7718-43af-88b4-cc30f6a9d321/corel_family_and_friends.pdf
    • https://uploads.strikinglycdn.com/files/d0fdc556-80c1-4ce6-b043-e43a667458bc/wazoo_survival_gear.pdf
    • https://static1.squarespace.com/static/5fce119d2951692d425a0619/t/5fd719005488895576c41401/1607932162799/sociology_and_anthropology.pdf
    • https://uploads.strikinglycdn.com/files/7f8301ce-13c4-457f-8105-73a5a26f9a8b/xemile.pdf
    • https://uploads.strikinglycdn.com/files/1250aa61-42f5-405b-b482-aa4992bb18d4/74547261061.pdf
    • https://uploads.strikinglycdn.com/files/66f17ffc-7beb-4440-958a-4039b09ef5d7/73926804146.pdf
    • https://uploads.strikinglycdn.com/files/6b9f9a9c-2f8d-43a1-87a5-259537ee5a73/one_piece_stampede_english_dub_dvd_release_date.pdf
    • https://uploads.strikinglycdn.com/files/5266a081-52de-4cbb-8dfa-c5324d81a5e4/does_extenze_work_yahoo_answers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ca3e.bin
58a8165b1c902d78380c8d7e510cc0cb33b06b600f2a63878041fb62db18f1f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA3E 4712 bytes
font_01_sfnt_off0000d9f2.bin
a1e2d9979cdb8b654ee37409702585e3260d600f5fe3f4dead9ad254d038f109		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9F2 10480 bytes
font_02_sfnt_off0000fcd9.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCD9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.