Malicious PDF — malware analysis report

Static analysis result for SHA-256 961d93bd0033227f…

MALICIOUS

PDF

81.5 KB Created: 2020-11-14 20:02:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c699f70445d6961091bff75ae67faafb SHA-1: 7be1984724467293a1ca9ba26f90c6e1e0dc207b SHA-256: 961d93bd0033227fc5d3b2745b8e566ffb2816e0a04fc1464a55b374603ea19f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, suggesting a link farm or phishing attempt. The PDF_SEO_LINK_FARM heuristic specifically indicates a mass of external links, with the primary suspicious URL being https://traffset.ru/strik. While no scripts were explicitly extracted, the presence of numerous external links and the overall detection profile strongly suggest a malicious intent, likely related to phishing or SEO abuse.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=college+physics+volume+1+9th+edition
    • https://zogeliwev.weebly.com/uploads/1/3/4/3/134353139/cd5bf.pdf
    • https://mitixofixomu.weebly.com/uploads/1/3/4/3/134333727/2439787.pdf
    • https://gazesomudari.weebly.com/uploads/1/3/1/0/131070071/daful.pdf
    • https://vamewufu.weebly.com/uploads/1/3/4/3/134317042/gepoxisigonuterel.pdf
    • https://kubupukadumu.weebly.com/uploads/1/3/1/3/131382740/2164466.pdf
    • https://majizozu.weebly.com/uploads/1/3/4/5/134598595/8850325.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/318dfd5f-0876-40d2-b4c5-ff134bb78b99/48170246680.pdf
    • https://uploads.strikinglycdn.com/files/805625a0-3613-42c4-a1dd-fb11fc16dc94/sopusadagomadato.pdf
    • https://uploads.strikinglycdn.com/files/7cf3d8a9-b5cc-40bb-9890-06393d2c04ac/handshake_problem_equation.pdf
    • https://s3.amazonaws.com/kopisigapub/crazy_talk_application.pdf
    • https://uploads.strikinglycdn.com/files/75ea461e-786e-4c52-adac-a9402cc04d0c/46856611741.pdf
    • https://uploads.strikinglycdn.com/files/0a9371e5-588a-4098-8d0f-ba46afdf7669/nemilorisimujiso.pdf
    • https://uploads.strikinglycdn.com/files/48f86cc3-1e1c-4c3f-8345-978952b4cedb/tulepowonoxujutib.pdf
    • https://uploads.strikinglycdn.com/files/6f20321d-add4-479d-a2c7-594e9c25d674/bagedofufi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010055.bin
e513085a89fed6fe5f8adcc381e451bd7cdb4e34998dc47ff064b5b3341266a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10055 5456 bytes
font_01_sfnt_off000112db.bin
8a2d159dbf3f59ac2da808a37a6ecd71fca71ea0e9b2ca818e715753383441e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112DB 11816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.