Malicious PDF — malware analysis report

Static analysis result for SHA-256 9605aa7ce15f3c48…

MALICIOUS

PDF

92.4 KB Created: 2020-12-24 00:41:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: 8053db47d52aa377f60e130f69f1f758 SHA-1: 333de3b007aa01b1743e85eceef10d8455f4128b SHA-256: 9605aa7ce15f3c489fd39c8227766152343663bd7a943e0fd0a655328a3d73f5
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous links, many of which point to known malicious redirector infrastructure or link farms designed to host further malicious content. The document body, though heavily obfuscated, appears to be a lure for downloading software, specifically mentioning 'Hill car game download apk'. The presence of multiple external links and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=hill+car+game+download+apk In PDF document text
    • https://segakimorepej.weebly.com/uploads/1/3/0/7/130738797/disurugajomubu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4376858/normal_5fe3c462e555c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407314/normal_5fade7c0c3032.pdfIn PDF document text
    • https://dojudiwoju.weebly.com/uploads/1/3/1/4/131406456/b9e2994eb7de5f6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://uploads.strikinglycdn.com/files/d33a5a91-a5bd-49e6-b8e2-2f35689d3b2f/absolute_java_6th_edition_reddit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/00b8c4a1-b762-4a2a-9e1a-348cb90ae22b/86691871429.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/218050eb-9a24-43b1-beec-6a872e41a106/adobe_illustrator_download_cracked_version.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b337632f-8581-4e7d-8ebe-cca128477143/miami_police_crime_vice_simulator.pdfIn PDF document text
    • https://s3.amazonaws.com/defipedibe/69089926533.pdfIn PDF document text
    • https://s3.amazonaws.com/vuxalirudidel/best_home_security_system_2020_diy.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf04.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCF04 8588 bytes
SHA-256: 7987035d3d40f61bca6142d06164dc358252ec9c8b8b2b25146cdd0c6e6c2f10
font_01_sfnt_off0000eb2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB2C 5332 bytes
SHA-256: e3f6e76e248a204c4856ee0b98201756db8a82f7d941b7bac3a3f0101b30d17c
font_02_sfnt_off0000fd47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD47 3720 bytes
SHA-256: d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280
font_03_sfnt_off000108aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x108AA 10832 bytes
SHA-256: a110730e89bf972e243814cf5cad67cc52e83a8f31d54bd6def6e7a2d5059b2c
font_04_sfnt_off00012d9f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12D9F 16060 bytes
SHA-256: c46c0605e6de68f526770b35f02e9451d7ae7c0e0d79b6a66872b6650ded16ce
font_05_sfnt_off00014276.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14276 10864 bytes
SHA-256: c3098a352cd83461be6e5f149e3b515bd06163bd64095ce584091956aa2daf2a