Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb42934d4d5c14e5…

MALICIOUS

PDF

109.2 KB Created: 2020-12-23 14:38:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5ceedb86167c0e91333b3eebfda7dbbd SHA-1: f5b872e58a73b5e19946d230d279aec8f07cad20 SHA-256: bb42934d4d5c14e586c7f1076bd5f1a6177fda5f0e926d4f4c22123a5ded27c7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a significant number pointing to PDF files hosted on various platforms, indicative of a link farm or a distribution network. The ClamAV detection and ML classifier strongly suggest malicious intent, specifically phishing. The primary URL, traffking.ru, is likely the ultimate destination for malicious activity, possibly leading to credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?utm_term=minna+no+nihongo+mondai+answer+key
    • https://static.s123-cdn-static.com/uploads/4481540/normal_5fcf12424aa30.pdf
    • https://cdn-cms.f-static.net/uploads/4369645/normal_5fa73ca6d680a.pdf
    • https://tusefekojeseto.weebly.com/uploads/1/3/4/4/134437698/mefavur.pdf
    • https://wunenogapo.weebly.com/uploads/1/3/4/5/134509221/jegakisej.pdf
    • https://fiwisito.weebly.com/uploads/1/3/4/7/134715438/8251742.pdf
    • https://cdn-cms.f-static.net/uploads/4477873/normal_5fade3b28ba62.pdf
    • https://static.s123-cdn-static.com/uploads/4387718/normal_5fc4b7abadb1d.pdf
    • https://kukezedom.weebly.com/uploads/1/3/4/6/134629177/5981880.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/1a1551aa-5ed2-402a-ab65-330b0b2d88ae/bagepanuledosuxume.pdf
    • https://uploads.strikinglycdn.com/files/39f9ed10-f41c-428a-8162-4ef2bdef9bb6/89436175755.pdf
    • https://uploads.strikinglycdn.com/files/30e191fd-43da-4c02-b477-929d28fd3ed4/jotujusagabapuke.pdf
    • https://uploads.strikinglycdn.com/files/0bf28808-5844-4528-a973-4ff3b38ffec4/82327676313.pdf
    • https://uploads.strikinglycdn.com/files/c26ccdf2-9d95-48e3-9e9f-da0ada4a79ee/dojadila.pdf
    • https://uploads.strikinglycdn.com/files/a84bed58-9f27-4873-8de9-6e59c6297aee/philter_of_love_uses.pdf
    • https://uploads.strikinglycdn.com/files/7fb9c91b-b28d-46c1-bb42-1b364a68a9ad/watubut.pdf
    • https://uploads.strikinglycdn.com/files/808af6e0-3bbd-4f74-b675-d4596665a04b/santa_claus_and_his_old_lady_cheech_chong.pdf
    • https://s3.amazonaws.com/foneniz/tedupakiro.pdf
    • https://uploads.strikinglycdn.com/files/9d1d0234-be11-4579-85d6-ec2829dba33c/25540775781.pdf
    • https://uploads.strikinglycdn.com/files/b6599420-80b8-4668-a178-375d151a8b7d/xolibuseganuwo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010aad.bin
a05b7854aced67ce648ca8e550dbd0f74bf2758dfb8b381984accf58ff57731d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AAD 10204 bytes
font_01_sfnt_off00012bc1.bin
8701ba4eb5ec36d4ced35af898f8e605b2328aa8f121df4838e165105c5bfeb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BC1 5176 bytes
font_02_sfnt_off00013d2f.bin
f49084d48801e54ba0cf1f994954ed539e8045b7786726c3d7ef0b9a471189e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13D2F 10600 bytes
font_03_sfnt_off00015b20.bin
5864638477fe0d7f701d0366069f5972fc78cc4eee487259fffe9e036a380e37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B20 11300 bytes
font_04_sfnt_off000181cc.bin
c3d0ee408bee49a88931d2ac630a9fb52e88a46fabab5a72aa19e78bbe1d3826		 pdf-font-stream PDF embedded font (sfnt) at offset 0x181CC 16376 bytes
font_05_sfnt_off00019774.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19774 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.