Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3446d2067405017…

MALICIOUS

PDF

61.1 KB Created: 2020-11-18 04:23:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dbef20e797ef0820c21b7b77fd772c61 SHA-1: 2cc8155c17d7d2c74c1a8b69a05e1b57e453b070 SHA-256: c3446d206740501721ea27145fdcb982f0b2ccfee4d8e8eb47146baa8f5df6b1
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous external URLs, with one notable URL being https://traffset.ru/aws?utm_term=kadamba+kannada+movie+video+songs+free. The PDF's structure and the presence of many external links suggest it is designed to redirect users to potentially harmful content or engage in SEO manipulation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7822

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?utm_term=kadamba+kannada+movie+video+songs+free
    • https://xonujofepip.weebly.com/uploads/1/3/4/3/134385468/siturubulusero.pdf
    • https://cdn-cms.f-static.net/uploads/4393019/normal_5fa11ad1de04f.pdf
    • https://cdn-cms.f-static.net/uploads/4413121/normal_5f9cb05c85f3c.pdf
    • https://penusifobituje.weebly.com/uploads/1/3/4/3/134314418/madasadev-dubib-sedevog.pdf
    • https://cdn-cms.f-static.net/uploads/4384035/normal_5faa41efe26c6.pdf
    • https://mekujukoner.weebly.com/uploads/1/3/4/7/134715553/lajojil.pdf
    • https://vorujefam.weebly.com/uploads/1/3/4/3/134322124/66f175.pdf
    • https://wurikosaradusif.weebly.com/uploads/1/3/1/3/131384544/3547591.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1d8743db-de13-4a20-a0ef-6c7444c29a96/35274709420.pdf
    • https://s3.amazonaws.com/mujevubutukoxu/ben_hogan_grip_illustration.pdf
    • https://uploads.strikinglycdn.com/files/64aead26-5883-4019-91e4-cff0178ea048/vojitupos.pdf
    • https://uploads.strikinglycdn.com/files/7920f56d-9410-4eff-962b-b7587906dd2a/tukisabixegodebed.pdf
    • https://s3.amazonaws.com/sisaxu/top_gear_botswana_special_episode_number.pdf
    • https://s3.amazonaws.com/takurugilij/49126952076.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cfca.bin
36cb22ca4ccf349ab76556ec81b2aea5561eca9a1ce0d7eda3b2532a2f80a2f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCFCA 5428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.