Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1dc9c9849c03b79…

MALICIOUS

PDF

71.6 KB Created: 2021-01-12 11:18:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: f88324988a3988fecf089f040cd15e91 SHA-1: 3803847d8c26d6a45d190f10a937e773acb84191 SHA-256: c1dc9c9849c03b79081ce143102b8baab24789b7bf82e80ffc9bf8b26f1ee629
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing or link farm distribution. It contains numerous external links, including one to 'traffset.ru', suggesting an attempt to redirect users to malicious or deceptive content. The document body, though heavily obfuscated, contains metadata related to 'wkhtmltopdf' and a date, indicating its origin and potential use in a campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=yeah+baby+song+status PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4464082/normal_5fd06d01c24a2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485568/normal_5fabdcc4883f4.pdfIn PDF document text
    • https://site-1168179.mozfiles.com/files/1168179/sajinajavivavenobijuxabum.pdfIn PDF document text
    • https://site-1176216.mozfiles.com/files/1176216/46055779514.pdfIn PDF document text
    • https://dajolulozofupo.weebly.com/uploads/1/3/4/6/134634221/raxugojume.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4366348/normal_5feff63751edd.pdfIn PDF document text
    • https://cdn.sqhk.co/bibolaned/Ijaijeb/kogimak.pdfIn PDF document text
    • https://rotafejejulivis.weebly.com/uploads/1/3/4/5/134599198/mevasujod.pdfIn PDF document text
    • https://kevegojap.weebly.com/uploads/1/3/4/8/134863313/f49ac08f69cb.pdfIn PDF document text
    • https://cdn.sqhk.co/relulapezele/he6gdhi/gelida.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4486042/normal_5fe3f16289029.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417313/normal_5fd3a28d4d60c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384167/normal_5f9ebb97e0fb6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4382784/normal_5fc86c16e3376.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b267.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB267 4856 bytes
SHA-256: 737546e410008a691ed9824b8f8e43dd3d1a15c0da64b6ba55b55a73571bcf45
font_01_sfnt_off0000c2e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC2E6 2044 bytes
SHA-256: 28336a0cb3f8e641e75945af3d35324194abd932e21d2bc38800f63db353b10a
font_02_sfnt_off0000cc50.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCC50 9928 bytes
SHA-256: a93403f223d30b94b11a421a2612b14aec1e539102cc64910a430df4a7fb8a45
font_03_sfnt_off0000ee5e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE5E 16060 bytes
SHA-256: 313c3940a6f4aae92ceaa1b1a843de6e6f13411355a457aba6e018c383fce54c
font_04_sfnt_off000102f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x102F3 4324 bytes
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3