Malicious PDF — malware analysis report

Static analysis result for SHA-256 c68616968f655d57…

MALICIOUS

PDF

71.4 KB Created: 2021-01-06 11:46:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 0047a139d026116458e0db964d2388f7 SHA-1: b29f47e30cd7aa8201b0fd123dc6115bd91e1004 SHA-256: c68616968f655d577345bf00637f96d0706013b5a6dec078d46ffaf560b4864e
254 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains multiple heuristics indicating malicious intent, including links to known malicious redirectors and a link farm. The 'SE_BROWSER_INSTALL_LURE' heuristic strongly suggests the document's purpose is to trick the user into installing a malicious browser extension or plugin. While no scripts were explicitly extracted, the nature of the lure and the presence of embedded URLs point towards a phishing or malware delivery attempt, likely leveraging embedded JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=ecommerce+app+template+swift In PDF document text
    • https://nofefikow.weebly.com/uploads/1/3/4/5/134510094/2221741.pdfIn PDF document text
    • https://cdn.sqhk.co/zatugudaxaji/fhhG8ja/grist_mill_inn_hope_nj.pdfIn PDF document text
    • https://pagofere.weebly.com/uploads/1/3/1/3/131398194/fekikuz-jujixaluba-lubosazideta-kuvenor.pdfIn PDF document text
    • https://tunawirivam.weebly.com/uploads/1/3/1/4/131437064/8073787.pdfIn PDF document text
    • https://vufobuvi.weebly.com/uploads/1/3/1/1/131163959/zagapozuginugu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/bbe4c0b6-2050-4d28-b855-04e7e4ca0675/native_flowers_of_puerto_rico.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a73cdb42-9b99-447a-9620-b7a0beb34c3e/45040869937.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e0bdf739-7769-4b24-875f-084e56a042d3/steph_curry_powerpoint_nike.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94c9104a-2bfe-4a5f-88b0-72b2e470999f/vekofuxiwomowome.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/451a0fd9-889f-4245-8405-9d4495ab9a18/future_english_for_results_5.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1da18bc-757f-4d30-a7f7-0e72dba7b1d9/kipijizalitowipabasi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc358b29-dd29-4455-ba7b-4100b248e202/65835949649.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f73cb769-9227-48d7-8bfc-fd6c08d0aa62/fetutixegilalitediveza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a733d5b-f75c-4184-ab84-cdcd739f7952/applications_of_linear_algebra_in_biomedical_engineering.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d87a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD87A 5208 bytes
SHA-256: 1dc4bc44c1348b2d72cb919e1a4fcdc0d52e657219cc22682283206071209d06
font_01_sfnt_off0000ea2e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA2E 11708 bytes
SHA-256: e64cd62d4a77da9acac38c164da06b18808116ae9d36b6bcb1a97e85416cdcc3

Open this report in the interactive analyzer, or submit your own file for analysis.