Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e305efe8a4bd6ca…

MALICIOUS

PDF

77.3 KB Created: 2020-11-23 00:18:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: 0a2967ed019c301492f264f9d23281b5 SHA-1: 1d804c48d8c65e15b71ef6c590050442a725fbde SHA-256: 8e305efe8a4bd6ca079f55162fcde797be4c4394971cb208ebc86e50fb62a5b0
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and an ML classifier, specifically flagging it as a redirector link and a link farm. The embedded content, though heavily obfuscated, suggests an attempt to disguise the malicious nature. The primary attack vector appears to be directing users to external URLs, one of which is a known malicious redirector, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=galaxy+empire+guide In PDF document text
    • https://xanugobolenaz.weebly.com/uploads/1/3/4/3/134371028/wipelalutimoj.pdfIn PDF document text
    • https://sizukejagu.weebly.com/uploads/1/3/2/6/132681884/dodivij.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385417/normal_5f9967da1f0bd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/wilugugo/2185744643.pdfIn PDF document text
    • https://s3.amazonaws.com/geradi/weber_carburettors_tuning_tips_and_techniques.pdfIn PDF document text
    • https://s3.amazonaws.com/geradi/gilamabaxabejasujugej.pdfIn PDF document text
    • https://s3.amazonaws.com/vavejijitatofu/angular_template_variable_inside_ngfor.pdfIn PDF document text
    • https://s3.amazonaws.com/farezelof/french_and_indian_war_map_worksheet.pdfIn PDF document text
    • https://s3.amazonaws.com/tokit/papemivo.pdfIn PDF document text
    • https://s3.amazonaws.com/woxojuxafopuv/1763404074.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e719.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE719 5300 bytes
SHA-256: abdcc36dd8831e3bf206bcb0d9a8e3c100dc2ce6000dca3032a321f7531ab942
font_01_sfnt_off0000f910.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF910 1800 bytes
SHA-256: daad3f347a4f42f432ee9983e619a7c063e36761dba5934b469418034847e28e
font_02_sfnt_off0001019e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1019E 11448 bytes
SHA-256: 0efd8a9fee8ee5490dd284b9600242c7fe0b7c8cd2d714a3cb04fb9a93a416f2

Open this report in the interactive analyzer, or submit your own file for analysis.