Malicious PDF — malware analysis report

Static analysis result for SHA-256 afab8a3ec7cb85e7…

MALICIOUS

PDF

79.8 KB Created: 2020-12-19 11:42:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cdfbbd699803975084259e8d2d6f33c2 SHA-1: 728fa768d7cece075142c5854d958333762dd8e2 SHA-256: afab8a3ec7cb85e76c3b2a47a4b958d3d388ddb9b28716aa8e4f391c133d6d72
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one critical heuristic flagging it as a link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. The presence of a URL pointing to 'traffnew.ru' suggests a potential phishing or C2 server, while other links may be used to obscure the malicious activity. No scripts were extracted, but the PDF structure itself is suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=avira+free+android+security+kostenlos
    • https://cdn-cms.f-static.net/uploads/4469828/normal_5fda3e7714241.pdf
    • https://cdn-cms.f-static.net/uploads/4369149/normal_5f89bb34cca73.pdf
    • https://duzareledibasa.weebly.com/uploads/1/3/4/8/134890493/fesikob.pdf
    • https://pasifoberili.weebly.com/uploads/1/3/4/8/134881239/loxonelepit.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static1.squarespace.com/static/5fc527a3c6229360ecc88336/t/5fc9453c7815eb30dbed5a25/1607025981498/julizunita.pdf
    • https://uploads.strikinglycdn.com/files/5cdd3f51-8d5d-48cc-a051-a4f4e06121f9/78671454646.pdf
    • https://uploads.strikinglycdn.com/files/bf04803c-4650-4cec-96a9-9e2f4ad2ade4/19783291890.pdf
    • https://static1.squarespace.com/static/5fc65200ea4a794d566a2ee3/t/5fd1573eac13f65f66044833/1607554882730/61669846167.pdf
    • https://uploads.strikinglycdn.com/files/37caabfa-0a0a-4698-b8a4-bfff285c0dc5/tubatikexa.pdf
    • https://static1.squarespace.com/static/5fce2dc706af1e3f448c2ec4/t/5fd69ad5491a58544a1a80e2/1607899862470/achievement_motivation.pdf
    • https://s3.amazonaws.com/xazarujokemus/cares_act_2020_deadlines.pdf
    • https://uploads.strikinglycdn.com/files/f434e35d-c022-4e64-9243-718860112be6/circumference_and_arc_length_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/a7368bd3-d085-4d08-8713-efb4acd36c88/23960218037.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbcf5083fdc31513a0ee891/1606219017344/what_does_it_mean_to_lost_hope_in_mankind.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf72.bin
9642864a438d1a1ef43f4f5f9d33e129da8da1aa3f5bcaa2307d5cee7791398a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF72 5112 bytes
font_01_sfnt_off0000e0ed.bin
da5cce77c7538949afcd04b9c665d50cc274d525c9c1ace3b6af8e74d370746e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0ED 14988 bytes
font_02_sfnt_off00010e14.bin
04a2ae76520c80aca65e44babf2a69a19f146bff1eb6fcafef8956207b1925a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E14 16344 bytes
font_03_sfnt_off000123ca.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123CA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.