Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4f42bb9486743fc…

MALICIOUS

PDF

72.1 KB Created: 2020-11-26 08:44:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 20d0b4fb6d453603b1e75080f176f523 SHA-1: 9ae6b3513b08e6872529242acab3ca04648b9a3c SHA-256: c4f42bb9486743fcfe96758b33321fbe6817e7c214722e765204bb2b6a650ed0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which are hosted on suspicious domains or are designed to mimic legitimate documents, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent, likely to redirect users to phishing sites or download further malware. Although no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/strik?utm_term=what+types+of+empires+did+the+mongols+conquer
    • https://punotajevi.weebly.com/uploads/1/3/4/2/134266109/sudozubezenobibele.pdf
    • https://cdn-cms.f-static.net/uploads/4473415/normal_5fb5db00e05ce.pdf
    • https://cdn-cms.f-static.net/uploads/4373516/normal_5f9579b494e7b.pdf
    • https://suzokapiwewop.weebly.com/uploads/1/3/4/3/134351383/lilolikufevoguta.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/pozokimepe/glebe_primary_school_ofsted_report.pdf
    • https://s3.amazonaws.com/nilafafakem/janowuvaki.pdf
    • https://s3.amazonaws.com/wovigebi/tevibeno.pdf
    • https://uploads.strikinglycdn.com/files/485fc772-817d-4078-9064-3ea3ba5234ce/pampers_swaddlers_size_4_132_count.pdf
    • https://s3.amazonaws.com/davubewu/sony_vegas_pro_14_free_for_pc.pdf
    • https://s3.amazonaws.com/divexikav/25855502653.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db8e.bin
64e37b48ade83fe0dfbf5e841ebc886c7c0765858f6ccf3d7edb8a606a8b4e5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB8E 5808 bytes
font_01_sfnt_off0000ef41.bin
5790fd8277a9dfa4847327646fabd07fc96abac9a672db5cee1f8265e601897d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF41 10840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.