Malicious PDF — malware analysis report

Static analysis result for SHA-256 95b267ebcfc64fab…

MALICIOUS

PDF

58.6 KB Created: 2020-12-13 14:04:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: 2f1b62be8d72c751e960d89c1bb46d63 SHA-1: 2a7cc52f12c9c5580602e9afe53957dfb271f8d2 SHA-256: 95b267ebcfc64fab7bb8b82a9632ab8879279e070d1997188a4c3025c22c01ca
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting an attempt to manipulate search engine results or distribute malicious content. One prominent URL, 'https://traffnew.ru/aws?utm_term=betika+free+apk', is directly embedded and likely serves as a lure. The ClamAV detection and ML classifier further indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8068

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=betika+free+apk PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4490251/normal_5fbe32e7bd60e.pdfIn PDF document text
    • https://zemodeviwiteg.weebly.com/uploads/1/3/4/3/134351550/87e644654aab.pdfIn PDF document text
    • https://lajutiruwogow.weebly.com/uploads/1/3/4/5/134585316/vibaza.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4423452/normal_5f96e79541b0e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407795/normal_5fbd8765caace.pdfIn PDF document text
    • https://pipalilivo.weebly.com/uploads/1/3/4/3/134310902/kekipitopigugut_xesar_zaluzoreda.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4450158/normal_5fd3b90a3d762.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/33ecbc8d-537a-4f2b-aa80-9e43b4e6b7fb/fiwufupurolijoti.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51a6703c-0c7b-4009-bbe5-beca1b4904a2/nitukopipo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6662abe9-7638-4f5b-8344-d5ed5b986ca1/scream_poster_face.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ff203b29-8c5f-4739-a0cf-697389ca6ddb/34999636587.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/41d51377-861f-4bfe-8867-7a05a4cc2323/16613754574.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/71b5d4c4-8b31-4da1-930e-5545e68f80b0/47620532860.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a5d717b7-a2e3-4e52-a972-3398eba61c3c/xokadumexovasenifof.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc04.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCC04 4796 bytes
SHA-256: c8cf9d189cfa3ade74622b1144b5918ec857ba646f641f605b629690750bbf45