Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3e7aefb592bb6c7…

MALICIOUS

PDF

69.5 KB Created: 2020-12-17 19:01:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: cdb288038e5fd6f9fa1d98f871c644fd SHA-1: ea4c9f8d3179dde5746856f0d9f01dda887a0926 SHA-256: b3e7aefb592bb6c7f0c8929b68bac0bdd7f87f7990c308ccc62c69b3a5924908
254 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical alert for linking to known malicious redirector infrastructure. The file contains a large number of external links, many pointing to SEO-optimized PDF documents, suggesting a link farm or phishing campaign. The primary malicious URL identified is https://traffine.ru/123?utm_term=bastion+of+twilight+entrance+location.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/123?utm_term=bastion+of+twilight+entrance+location In PDF document text
    • https://cdn-cms.f-static.net/uploads/4417824/normal_5f967efc2f3e7.pdfIn PDF document text
    • https://tafuposavibado.weebly.com/uploads/1/3/4/0/134017079/51d6aba1feddc6e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/47dfcdc9-b4eb-4db8-b0ac-5e2e254adbc6/go_math_grade_4_chapter_7_review_test_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1ce7c5c2-98f1-4179-b24d-e56798f8e88c/44505380431.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9fb3504a-88fc-4c67-a3f4-85f084347886/32225186388.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e94ceb20-34e0-453e-8366-5cc1054b6c01/woodland_elementary_kingsford_mi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0425a69-658b-450e-867a-98e6ae7ffdd3/antminer_d3_mods.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9d24fa26-85a0-4cae-b645-1467254a47ec/557895769.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c096e39c-08d1-4b11-8630-eeae9e2b4b9f/sort_each_description_by_the_type_of_rna_it_describes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/56015497-1eef-4338-b282-768263141b8b/72476310006.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/71796c2f-a779-461d-abd9-f1d28433b697/exercises_although_though_despite_in_spite_of.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0bf14627-180e-48d3-8ef5-87bda6cf78fd/garirosolopizome.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9a91aec8-0a40-4881-9f11-c59827cec161/block_the_pig_world_record.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c87c2e8f-c19c-4981-835e-caefe59915f4/87770966384.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d42a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD42A 5284 bytes
SHA-256: aea199feef1e6f3a429de2524f9698dac293b46a6619e7ae9164e165278a9f80
font_01_sfnt_off0000e631.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE631 10288 bytes
SHA-256: 85340e1059a939d2568d94b81eda93fe65a7b897b7eef640e427065a09f0899e