Malicious PDF — malware analysis report

Static analysis result for SHA-256 c461217698392435…

MALICIOUS

PDF

70.9 KB Created: 2020-12-17 04:44:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: c9adec13865bcc3d40c83d7e31e37b98 SHA-1: a07bf6fb30ef705f10ee83c6550c3a7dd43ee63b SHA-256: c461217698392435ef0fc8dc224a160395490e03ce4d941bc43b745a958c83a6
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded links, with at least one identified as a malicious redirector. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' and the ClamAV detection 'Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0' strongly indicate a phishing or malicious redirection attempt. The presence of a large number of external links also suggests a link farm or SEO manipulation tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/123?utm_term=goodyear+viva+3+all-season+tire+225%252F55r17 In PDF document text
    • https://cdn-cms.f-static.net/uploads/4428043/normal_5fb7204b7c9fa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367290/normal_5fb8c69838c24.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4450148/normal_5fd089a55d7f7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369158/normal_5f95261e2ad1e.pdfIn PDF document text
    • https://zopodiwozexuma.weebly.com/uploads/1/3/4/7/134737972/102855.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4377115/normal_5fcda6040c76a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4373999/normal_5fc854d8c910b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4445750/normal_5fc6fe972e6fc.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/293917a9-69dc-4e8e-9152-d74a48aef3fa/16563445071.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2dd271f2-fbb2-4846-9c5c-f76597780338/how_to_wash_shutterfly_fleece_blanket.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad49e444-ea73-4c3f-9ffd-bc57afa78ffa/47147011851.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4e2af85-a688-415f-bcd9-a8e439cae490/honeywell_true_hepa_allergen_remover_air_purifier_50250.pdfIn PDF document text
    • https://s3.amazonaws.com/xutomoxu/93455880243.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d70f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD70F 5632 bytes
SHA-256: c5a3e898e9170352b199fad0931ee195d6a69693be6de1c25757312096749bdd
font_01_sfnt_off0000ea77.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA77 10656 bytes
SHA-256: e49ec482cfa3ec2fef33d3896c2ba95a6c4b3ea454a1c97f03cd1aa8bb5fdd29