Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ac2af8fa4c3b166…

MALICIOUS

PDF

86.9 KB Created: 2020-11-23 20:24:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bff50b1261f1929dd5b886ea75ac31d SHA-1: d27dfcf3160afdf533a18ffe3f664c18548fbcc4 SHA-256: 9ac2af8fa4c3b166d22f9ab5af2b5035cd8b160c4153f7c5983135d9487c0278
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to disposable domains, suggesting a link farm or phishing operation. The presence of 'traffnew.ru' with a 'utm_term' parameter indicates a tracking or redirection mechanism. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/strik?utm_term=third+harry+potter+book+online
    • https://kinumonitebira.weebly.com/uploads/1/3/4/6/134605003/8621682.pdf
    • https://buximinolid.weebly.com/uploads/1/3/1/3/131381316/kazuwob.pdf
    • https://vajibenutiw.weebly.com/uploads/1/3/4/4/134487234/5638319.pdf
    • https://nulixedupalaz.weebly.com/uploads/1/3/0/7/130739510/f9d35c548f746a.pdf
    • https://dedelazixuni.weebly.com/uploads/1/3/4/5/134596723/tejaf.pdf
    • https://tipefejiri.weebly.com/uploads/1/3/0/9/130969755/befeze.pdf
    • https://cdn-cms.f-static.net/uploads/4469631/normal_5fa9048941fd6.pdf
    • https://cdn-cms.f-static.net/uploads/4392857/normal_5fa783b56ec69.pdf
    • https://datirelegewewat.weebly.com/uploads/1/3/4/3/134329883/40a660906.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/fca938fc-406b-4bc3-b8df-855428e651fa/post_office_notary_public.pdf
    • https://uploads.strikinglycdn.com/files/00d4ff4a-9bb1-48ad-905a-67539255535c/jexunavoxomidififilawero.pdf
    • https://uploads.strikinglycdn.com/files/b5998541-d1a0-4b7e-bc94-3a81aab070f4/cdl_manual_ny.pdf
    • https://s3.amazonaws.com/zusevamasor/chief_compliance_officer_job_description.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fac4.bin
3f8a996b1e4a71520eba5c0a136f2b425d034190cdda919de41dbb07370fa978		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAC4 5124 bytes
font_01_sfnt_off00010c22.bin
ee448ea0b942f8e3cc7ddfe0d5dc4c7c6f0a1a62bc92910c35c663b4662f014c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C22 2188 bytes
font_02_sfnt_off00011627.bin
d7ad396276d25ce99481c234fa46bfbb97d13583d21ee0ed6f7d4dafceb88865		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11627 10368 bytes
font_03_sfnt_off0001396a.bin
3dae81b76154e7c62b3b0d30507344c78f02ee9172d09a03fe7a9af96af9e849		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1396A 16116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.