Malicious PDF — malware analysis report

Static analysis result for SHA-256 8cf3ded817df6481…

MALICIOUS

PDF

58.6 KB Created: 2020-12-22 20:13:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e2515682f5c16bc7bfe05e743db1d402 SHA-1: 274224f71732b36b8d6c1d867cab379a77071913 SHA-256: 8cf3ded817df6481e4ac86b1311000097b49b01e74d79d415f1d2d7daae8871f
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links, with one identified as a known malicious redirector. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though partially corrupted, suggests a lure related to 'Apple iCloud id finder free', likely to trick users into clicking malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8068

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?utm_term=apple+icloud+id+finder+free
    • https://static.s123-cdn-static.com/uploads/4377410/normal_5fcdce7918956.pdf
    • https://kovelikazaw.weebly.com/uploads/1/3/4/7/134705675/wetobeduvite.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/24648979-595a-4a9e-94d7-53d49acb829c/52535083469.pdf
    • https://uploads.strikinglycdn.com/files/ee69e946-ec79-4dc3-a155-47887d6aca87/lasco_jetted_tub_manual.pdf
    • https://static1.squarespace.com/static/5fc563a5a3bf4b14abc71da8/t/5fca4148822fbd3263ea0539/1607090505532/wuwex.pdf
    • https://uploads.strikinglycdn.com/files/5c0f5d7b-127a-4c04-b92d-7c71674ed1a2/84000969785.pdf
    • https://static1.squarespace.com/static/5fbffb1ae9fc3622d51d09b9/t/5fc1de9ebc819f1cf41cfa0b/1606540960590/64649252908.pdf
    • https://uploads.strikinglycdn.com/files/dab52ee0-0e17-4e68-9b48-cf9d8837bc91/187000436.pdf
    • https://static1.squarespace.com/static/5fc10dd588c99b6d37a7fa85/t/5fcccdc82fa8bc6bcde74004/1607257545132/34260652179.pdf
    • https://uploads.strikinglycdn.com/files/77502020-efc6-40b7-94e0-dc6601600453/ritase.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbcf37acc750a3b5a053e05/1606218618943/shakespeare_sonnet_55_meaning.pdf
    • https://static1.squarespace.com/static/5fc0d2f2d26ff1194f734ddd/t/5fc4b50a1972c46e3c322ce8/1606726924251/lori_andrade_flynn_facebook.pdf
    • https://static1.squarespace.com/static/5fc58414a3bf4b14abc861b4/t/5fced33b3fa051062b35f864/1607390011542/helicopter_for_sale_price_list.pdf
    • https://uploads.strikinglycdn.com/files/bc913ebd-78f6-4473-ac17-c646645d5318/nulalojiwidezural.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cd34.bin
dee0a04d4eb4803ff4192eba84fafbf305a050f0fbec1947ba77400b66d02641		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD34 4752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.