Malicious PDF — malware analysis report

Static analysis result for SHA-256 c35174c73a09c86e…

MALICIOUS

PDF

56.3 KB Created: 2020-11-10 12:30:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a8d92300dddf1f410b444a65c4b703f SHA-1: 370b8b77664683824b58d1f18a5c69f585b673f7 SHA-256: c35174c73a09c86ec82a13ad7c41ef1d1c9b92ca1edf7b03fe1e77fd803513e9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are hosted on file-sharing or personal website platforms, suggesting a link farm or phishing attempt. The primary malicious URL identified is 'https://traffine.ru/strik?keyword=can+you+download+apk+on+ios', which is presented in a context that mimics a search result for downloading APKs on iOS. This indicates a likely attempt to redirect users to malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9848

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?keyword=can+you+download+apk+on+ios
    • https://nigefawami.weebly.com/uploads/1/3/4/5/134598638/52119.pdf
    • https://guwomenod.weebly.com/uploads/1/3/0/8/130873843/mofep.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5dd8d6d7-fd14-473a-8c47-7922931fef34/14274692463.pdf
    • https://s3.amazonaws.com/gupuso/91725444773.pdf
    • https://uploads.strikinglycdn.com/files/a4a22b4d-3425-4724-b0e8-e5a4b3e16130/hunter_irrigation_controller_manual.pdf
    • https://uploads.strikinglycdn.com/files/08d9c5f0-6bcd-4cf5-8076-7aab3278f4c2/bulifogorukoganakof.pdf
    • https://uploads.strikinglycdn.com/files/fb12fba0-c166-46d6-865f-3b211bbcc486/16073677952.pdf
    • https://uploads.strikinglycdn.com/files/bd79d1da-7938-44b6-979c-57b275d4ed10/pevoxikedul.pdf
    • https://s3.amazonaws.com/vebogotexaf/71968943714.pdf
    • https://uploads.strikinglycdn.com/files/a80ac714-c097-4f83-81c4-40a9bc364fd1/girl_scout_ambassador_badge_requirements.pdf
    • https://uploads.strikinglycdn.com/files/84241666-7cd7-4ab9-a47a-ca18994acde9/20522874122.pdf
    • https://uploads.strikinglycdn.com/files/2f50e778-3af8-41ce-93bd-71ec429266fb/frsky_qx7_manual.pdf
    • https://uploads.strikinglycdn.com/files/62aea2ef-2cd7-41cc-b782-7be621132a59/40097014991.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cdca.bin
20ed52c484b79cc8bb82a706032e2497deb7333d4e5e4a249621f274fab7d041		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCDCA 5020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.