Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5dab9ec0cf5add8…

MALICIOUS

PDF

97.2 KB Created: 2020-11-21 22:40:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d42e78b5f805fb66870138cc2737707 SHA-1: 17572c70329fa4013b41582f14f8094ba5ceeb2b SHA-256: a5dab9ec0cf5add82ee3030346b5c3ac54fe6443dcc788c1b266c3738267b793
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used in SEO spam or phishing campaigns to drive traffic to malicious sites. The heuristic 'PDF_SEO_LINK_FARM' specifically indicates a large number of external links within the document. The presence of a URL pointing to 'traffine.ru' further supports this, as it is likely part of a link farm designed to manipulate search engine rankings or distribute malware. Although no scripts were explicitly extracted, the PDF structure and link farm heuristic suggest an attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/123?utm_term=florida+studies+weekly+grade+3+answer+key
    • https://cdn-cms.f-static.net/uploads/4415292/normal_5fa11d42e738f.pdf
    • https://cdn-cms.f-static.net/uploads/4416654/normal_5f9c69a747c4f.pdf
    • https://nuvefiwepopowu.weebly.com/uploads/1/3/4/5/134502743/ad0b2ea5c9.pdf
    • https://cdn-cms.f-static.net/uploads/4447093/normal_5faf3c2e6b2bb.pdf
    • https://cdn-cms.f-static.net/uploads/4411922/normal_5f9667c4805b9.pdf
    • https://cdn-cms.f-static.net/uploads/4365545/normal_5f88108b65109.pdf
    • https://xevujudibibabus.weebly.com/uploads/1/3/4/5/134599482/5fd6345.pdf
    • https://cdn-cms.f-static.net/uploads/4465003/normal_5fa8e1ef59929.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/99736053-8d54-49ab-a243-bf0b8ef63595/schnuffel_bunny_song.pdf
    • https://uploads.strikinglycdn.com/files/e56a6b1c-705c-40f2-99cc-362db1136fb2/dasefupeziba.pdf
    • https://uploads.strikinglycdn.com/files/45967ec8-615c-4e42-8630-321f2c53c313/fufoxidonuwewejogorepewe.pdf
    • https://uploads.strikinglycdn.com/files/15f279e5-6a49-4280-b5d4-32aa160eb025/bukoz.pdf
    • https://uploads.strikinglycdn.com/files/dc490f3e-2862-4a42-bd48-7a5ab647d5f8/une_fois_pour_toutes_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/21561b1f-4ca7-46b5-9fd2-f6b1435de3eb/where_can_i_watch_ghostbusters_2016_online_for_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001411e.bin
9abd3b9cd33d5727dfd74cfbc0b635b5ad1562252bf2b6351a2938100a30d2fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1411E 5372 bytes
font_01_sfnt_off0001538e.bin
bdeb3f18aa4b846a1359154ca258648ade2edddd6eb5828b81488decbff40777		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1538E 10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.