Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ca5cdb38b354021…

MALICIOUS

PDF

73.0 KB Created: 2020-12-21 10:16:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: d5f37e0c6d3eda7d3385c6b864cf10fc SHA-1: 9bec9b6a5372b4f1fa8a72c5685f3df785b5d19e SHA-256: 9ca5cdb38b35402152611d9ed06e9e8194a8ebba600ba675f8f22d92390fd491
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and an ML classifier. It contains a large number of external links, with the primary malicious URL being traffffi.ru. The document body is heavily obfuscated, but the presence of numerous external links suggests a link farm or redirection scheme designed to lead users to malicious content. No scripts were extracted, but the PDF structure itself facilitates the embedding of external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/strik?utm_term=empire+warriors+td+premium+tower+defense+games+%25D0%25B2%25D0%25B7%25D0%25BB%25D0%25BE%25D0%25BC PDF link annotation
    • https://zotadapavera.weebly.com/uploads/1/3/4/4/134483721/morupegibalex.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380887/normal_5f904ae179af2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378628/normal_5f8b8ed31f1d1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4370530/normal_5f8abcdde795a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486775/normal_5fbfe22f3710b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376874/normal_5fa630ed72659.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408599/normal_5fb79dd4b0578.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4478946/normal_5fcefb24931eb.pdfIn PDF document text
    • https://fenatelelopowi.weebly.com/uploads/1/3/4/5/134510159/ramate_misuzibajim_wipogijini_kixitix.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/10ea6b56-e67b-498f-ae38-9716fe21e73e/happy_new_year_2020_to_post_on_facebook.pdfIn PDF document text
    • https://s3.amazonaws.com/fodose/jajakowa.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0c28ca5bc066edfa50021/t/5fc44650fa04221c71a76df3/1606698577294/36088574299.pdfIn PDF document text
    • https://s3.amazonaws.com/sinadi/45603530127.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0d446ab79f442f2293e00/t/5fc2de717acac6192a1f9cd3/1606606449542/wuunferth_the_unliving_in_jail.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6cc97103-723b-44ba-b281-534330f51368/gepolitowil.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c4e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC4E6 5976 bytes
SHA-256: 4f2e62fb778ad2927cc680357e2637bc78e35ad51c2847babccd05dffca4355a
font_01_sfnt_off0000d8ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD8FF 10828 bytes
SHA-256: 05ead21865de32bba31a9cfb89429f9f9ae08d76795d17f6e8d8997bea0bacc5
font_02_sfnt_off0000fe39.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE39 16296 bytes
SHA-256: 95e96a09560a4311197e0951171b1445abf99183597bc1688a7935fc0088a614