Malicious PDF — malware analysis report

Static analysis result for SHA-256 9be08d6318deae95…

MALICIOUS

PDF

70.4 KB Created: 2020-12-23 15:10:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-14
MD5: dcf827e0b1413d3561aa03e5459dbf62 SHA-1: 38b76f63d3ada836f8a93b857cc2ddfd2798f484 SHA-256: 9be08d6318deae9572db1081e200e5caba2be93cbb78cb095462c360f80ce68e
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains numerous embedded links, with at least one pointing to known malicious redirector infrastructure (https://traffmen.ru/aws?utm_term=android+os+for+laptop+64+bit). The document's structure and link distribution suggest it is designed to act as a link farm, potentially leading users to phishing sites or malware downloads. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=android+os+for+laptop+64+bit In PDF document text
    • https://cdn-cms.f-static.net/uploads/4367278/normal_5fb801ce598b4.pdfIn PDF document text
    • https://dutajidadu.weebly.com/uploads/1/3/4/7/134730474/c62ab695cfd.pdfIn PDF document text
    • https://gajifawegux.weebly.com/uploads/1/3/4/6/134649352/2672573.pdfIn PDF document text
    • https://bazademirijef.weebly.com/uploads/1/3/4/4/134464354/7077603.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476946/normal_5fa67a38c1886.pdfIn PDF document text
    • https://setumimirakav.weebly.com/uploads/1/3/2/6/132681532/ropusiravugogatu.pdfIn PDF document text
    • https://sepanafawo.weebly.com/uploads/1/3/4/3/134316973/tarokuni.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/acff6ebf-8b51-4dcc-9bc9-9e7bd64bef28/73885075367.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c1d33458-4254-4060-9649-2b7a7d3c5306/baguvabupumive.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/74c62469-7c6b-4681-9e3e-53b89997aab0/2008_wr250r_service_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/liwafo/bright_futures_adolescent.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/035afd2c-6262-48ac-b7ad-a5621531c0ec/komm_susser_tod.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec41484a-0304-4f42-8c00-0d4e4d3b611b/zuvomumikomovovaxebub.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ff318f96-61c4-44c4-9532-c8d8786863f1/5786075383.pdfIn PDF document text
    • https://s3.amazonaws.com/petubapizo/kuroko_s_basketball_the_movie_last_game.pdfIn PDF document text
    • https://s3.amazonaws.com/fapaga/pj_daycare_the_movie.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0e7c42ca-0ac9-4eaf-8c34-b7a847617714/grammar_drills_english.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d320.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD320 5408 bytes
SHA-256: 96f9b52ca0cdaaf158745ec9a10e328a07932acd1b3b25d33ea8baf37ff268d9
font_01_sfnt_off0000e594.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE594 11312 bytes
SHA-256: 9d9265b12e44af1d662a98ec96e471f9fd3df5c9ab9f820f95eb3d5557c6842a