Malicious PDF — malware analysis report

Static analysis result for SHA-256 b04eb6bd43c17912…

MALICIOUS

PDF

69.0 KB Created: 2020-11-18 16:14:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49d18ecf4f9397684075815f1fc4cbf2 SHA-1: 1fd486d65ffb75f0e34d4d7f92793d49a6144183 SHA-256: b04eb6bd43c17912cda907cd11574a5fa8cf3cb6d921de0367b5cca0c8b2e4c6
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a significant number of external links, many hosted on disposable domains, suggesting a link farm or redirection scheme. The primary URL, https://trafffe.ru/strik?utm_term=dragon%2527+s+dogma+militant+dove, is likely used to direct users to further malicious content or phishing pages. No scripts were extracted, but the PDF structure itself is designed to facilitate the distribution of links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/strik?utm_term=dragon%2527+s+dogma+militant+dove
    • https://dadixuva.weebly.com/uploads/1/3/4/0/134018012/a3fd6b0fc3cb.pdf
    • https://risimapi.weebly.com/uploads/1/3/4/3/134321435/8073292.pdf
    • https://tibaxasunoz.weebly.com/uploads/1/3/4/5/134589804/15f13c16011e1e8.pdf
    • https://mufedagejex.weebly.com/uploads/1/3/4/7/134726032/9c521.pdf
    • https://kaxokotul.weebly.com/uploads/1/3/4/3/134380066/wiriwofo_joxifa_mutuz.pdf
    • https://vamewufu.weebly.com/uploads/1/3/4/3/134317042/6cdb0cd1e720315.pdf
    • https://cdn-cms.f-static.net/uploads/4384048/normal_5f9304c5481bb.pdf
    • https://wewiwefiwowofaj.weebly.com/uploads/1/3/4/3/134369931/jokomi.pdf
    • https://duzikasaropofe.weebly.com/uploads/1/3/4/4/134489835/jebafuleled.pdf
    • https://lolewifewo.weebly.com/uploads/1/3/4/7/134710585/pezotejoxug.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/62b29910-4647-45e0-811a-3afe0329e376/88948662499.pdf
    • https://s3.amazonaws.com/zarusegibitumet/action_research_file_in_b_ed_in_english.pdf
    • https://s3.amazonaws.com/jidosatikim/temperate_grassland_ecological_concerns.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c447.bin
8fb59279d9bd6a4ae4622e8bf190aa6f52710cae25439649930b6c1bfecbbbf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC447 5024 bytes
font_01_sfnt_off0000d547.bin
03a7aecfeca0efee9935d0a4705b679bb743adaf0fd246cca33e58f76082a92e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD547 10440 bytes
font_02_sfnt_off0000f8bb.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8BB 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.