Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6b056eff3ddec8d…

MALICIOUS

PDF

62.9 KB Created: 2020-11-17 07:46:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c1c16b191705d9e4c0f77199187c897e SHA-1: 6c09643734c04017f54cf6939a25167fc17db913 SHA-256: c6b056eff3ddec8d989d162d9ac28b29c0bdca51f5f617982447a3aa17afc154
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The presence of numerous external URIs hosted on disposable domains, combined with the ML classifier's high confidence, indicates a malicious intent to redirect users to potentially harmful content. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDF documents from web content, further supporting a lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8290

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/123?utm_term=arte+de+la+seduccion+robert+greene+pdf
    • https://negedawitadunez.weebly.com/uploads/1/3/4/5/134587096/4384bc7d46cc707.pdf
    • https://widutelakil.weebly.com/uploads/1/3/4/3/134378670/007036e894c5f.pdf
    • https://cdn-cms.f-static.net/uploads/4410674/normal_5f95435cd9ca5.pdf
    • https://vodipewelo.weebly.com/uploads/1/3/1/6/131637384/e2e970.pdf
    • https://cdn-cms.f-static.net/uploads/4446497/normal_5f9fbbbd9521f.pdf
    • https://fisotewefupug.weebly.com/uploads/1/3/1/0/131071176/mafitosodobabeme.pdf
    • https://kenolafopufa.weebly.com/uploads/1/3/4/5/134528829/717d55a6e2dbad.pdf
    • https://fenorave.weebly.com/uploads/1/3/4/6/134639489/lowazikoroperap.pdf
    • https://cdn-cms.f-static.net/uploads/4393632/normal_5f9fb43e30fdb.pdf
    • https://zatazonikafude.weebly.com/uploads/1/3/4/3/134340422/jumutubemomuvu-wogaletekela-jasiguxudas-rigelowug.pdf
    • https://dokodajibebabek.weebly.com/uploads/1/3/2/3/132302773/98e4c20d405.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fosagoba/ucdsb_calendar_2020_2021.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce45.bin
5cc61583fda9d0e46bab93606a22484ff7b6b799b50b7a99f974831cfd32d721		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE45 5452 bytes
font_01_sfnt_off0000e0d8.bin
5e0a3b8167347ce55461dd60064f2a5fdd5b7cd49306474ec03a3c1852963d4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0D8 9796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.