Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc740ecd197810ba…

MALICIOUS

PDF

66.2 KB Created: 2020-12-21 04:43:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: a643c3b1ae6abb21d4bdbe1ceba3ce1c SHA-1: 0b3a9f6400ee8f9a2593eb62d4bec139ce8a3e93 SHA-256: cc740ecd197810ba9cd3a3f9f0fc96eaf733e5922d3d9534a470ef21c67546e7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=black+natural+short+haircuts+2019 PDF link annotation
    • https://zikixitifo.weebly.com/uploads/1/3/4/8/134897390/tadupumisavak.pdfIn PDF document text
    • https://vixadabunukup.weebly.com/uploads/1/3/4/9/134902839/rolidobesuwejo.pdfIn PDF document text
    • https://zewadozodatigi.weebly.com/uploads/1/3/4/3/134337643/aa11b5445bb7bc.pdfIn PDF document text
    • https://woninulanomawij.weebly.com/uploads/1/3/4/6/134670754/solivisose.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/832bc8a6-c5eb-4a35-947d-18b9b979a953/escuela_empirica_de_la_administracion.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9190a73a-0796-4c91-967b-8e7b92a24f4f/mikinisusiwajumi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b2d7633f-5608-408f-bee2-750627c85a98/lefevemixawogefipem.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9451cea2-d02a-4fe8-a94c-a36bee13ee0d/what_is_the_black_stuff_under_my_fin.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4f04d68b-7c7c-4ca9-8d0b-f0df31962de4/cinco_ranch_cougar_band_facebook.pdfIn PDF document text
    • https://s3.amazonaws.com/babuxufarizuxur/41933149093.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/596ae846-49f4-46ec-9f9e-b183c703e005/43526289615.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82eaead8-435e-4038-afad-111d82634ed9/your_name_here_and_the_argonauts.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c834.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC834 5480 bytes
SHA-256: dd44f7302c1aba38579a6a9a7772fcf648cf75ba9190d2c59c2560ab61f1b9db
font_01_sfnt_off0000dad3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDAD3 9824 bytes
SHA-256: fcca4f7ba5ec98aa01411a47034c1b51b5f73780d9889dc7fbca63889baeb0eb