Malicious PDF — malware analysis report

Static analysis result for SHA-256 9480454225ded4bd…

MALICIOUS

PDF

81.8 KB Created: 2020-12-21 01:55:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: 1a49b8a070011c4c509c825dfb4eb700 SHA-1: d4504f55871f6545e071f142492bcf633c515750 SHA-256: 9480454225ded4bd0601e6bbe59c96507025c164b28a0af41178529d7ca69288
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, with one identified as a malicious redirector. The heuristic firings indicate this is a link farm designed to direct users to potentially harmful sites. While no scripts were extracted, the presence of numerous links and the ClamAV detection strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/strik?utm_term=wii+homebrew+gamecube+emulator In PDF document text
    • https://darugagoremu.weebly.com/uploads/1/3/4/5/134588092/ladibusajasulemeguk.pdfIn PDF document text
    • https://poroxokinawutaj.weebly.com/uploads/1/3/4/5/134507376/mokegigikorafi-fopuse-kidovitosazez-jisivojexagaf.pdfIn PDF document text
    • https://zativazu.weebly.com/uploads/1/3/4/5/134586929/fufukunitup.pdfIn PDF document text
    • https://gekeforoka.weebly.com/uploads/1/3/1/4/131438206/ketexugaxaze-bemegol-genovenomi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://static1.squarespace.com/static/5fc021705e8e827d4289a3fa/t/5fc0ea737acac6192ae25be1/1606478452097/stone_creek_property_management_gold_river_ca.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2dd34d5b-a73a-4482-b187-049e5e8202d4/aquaman_full_movie_online_youtube.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0fe2417e7202640eab110/t/5fc8542c46ef2e08cbb2645b/1606964272018/7042123606.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc38ac77-7ee7-4853-b444-ad797dd9182a/babyletto_origami_mini_crib_reviews.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc55e6e085bf90c0e1aeabc/t/5fcabb340a585244391e6d6c/1607121716943/xepepotokotemexunorok.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc350c32e537a05ef18a0f9/t/5fc977be6c318e3cdc5a37e4/1607038911031/57025399308.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dafba6e6-7a9f-4381-8271-7d1fe86819bb/and_but_or_worksheet_for_grade_2.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/479275d8-40cf-4936-9276-6759e968a7df/cbse_class_10_exam_date_sheet_2020.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fdfcc855fb7d01a9b0f17d4/t/5fdfd13d892c8943b0ce142d/1608503613731/57210482506.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fdd2c3c5b7bc966055df3f1/t/5fde56331c66f52f5f85eead/1608406580210/2010_chevrolet_camaro_ss_owners_manual.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc59ef75bcb0228a2a2afad/t/5fc7071a2ac13f1ee9b10158/1606879003557/zagufapafi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94e59d43-63dc-4752-ba5f-4618939a9fe8/foreign_currency_exchange_chase.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD4FD 5056 bytes
SHA-256: d9537e3422f1cc27edf613d041c57692f54e30a05d78ae4e232840457d9698be
font_01_sfnt_off0000e63c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE63C 2292 bytes
SHA-256: 904588aed0987a99af5d8ca239364e36acb4b993f847a710ad2ee89eaaba15db
font_02_sfnt_off0000f09d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF09D 10772 bytes
SHA-256: 2ff29d38e4f20d23e2467497e403475c6c6e9fe72007efe2ee1c7e39068d6541
font_03_sfnt_off000115c1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x115C1 16376 bytes
SHA-256: 684a3c196e802b4dc45ee85e0d12f41c83d6b6c6a55a83cec5fb8e332ee9aa36
font_04_sfnt_off00012b69.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12B69 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361