Malicious PDF — malware analysis report

Static analysis result for SHA-256 b25325e693c57859…

MALICIOUS

PDF

66.6 KB Created: 2020-11-10 12:22:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-02
MD5: 84c7a07c4357a15af0e92adc6a5f5fc9 SHA-1: 9ea9e16c9d49a69b1f0af87994ffc3bd1abdea14 SHA-256: b25325e693c57859d36feee8a5b248669f5daa0beddd77c187220262065ee54d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for SEO poisoning or phishing campaigns. The ClamAV detection and ML classifier indicate malicious intent, likely to redirect users to malicious sites. While no scripts were explicitly extracted, the PDF structure and embedded links suggest it's designed to facilitate the download or redirection to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6640

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?keyword=participial+phrase+worksheet PDF link annotation
    • https://ximazula.weebly.com/uploads/1/3/0/7/130738777/motimi.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378378/normal_5f8aefd4eb711.pdfIn PDF document text
    • https://lewubudakaxawo.weebly.com/uploads/1/3/4/3/134342842/c13f1f9.pdfIn PDF document text
    • https://zunobogodosi.weebly.com/uploads/1/3/4/6/134630435/zujobutobolu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372960/normal_5f8c70f98f41f.pdfIn PDF document text
    • https://fowaluta.weebly.com/uploads/1/3/4/4/134488886/22531cb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e1531d38-ef29-45ec-926b-17fdeb3298a9/king_street_primary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7f843a9c-0b13-47b3-87f8-63a479021ca2/limite_d_lasticit_acier.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c80b0bb2-aea9-41dc-91c8-6b0d8b9c3db5/tarigimubozagafeso.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/17cccde0-b244-418d-8959-1656962bccce/rekarexizugadej.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01e18a11-1b65-48d5-93a8-78ddf44b4272/20_road_runner_cartoon_download_mp4.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bc95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBC95 4860 bytes
SHA-256: 77a9bccd55edf99f29231d7f5e3060e8470a6e1ba2420bb92270b75a6d31cc5d
font_01_sfnt_off0000cd35.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCD35 10352 bytes
SHA-256: e204b8d52d1245ef11cb330378e01dddb3b53020466db02098e15671ecdc892b

Open this report in the interactive analyzer, or submit your own file for analysis.