Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccd62a60e7a93140…

MALICIOUS

PDF

58.9 KB Created: 2020-12-09 19:13:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72424a7abfc23034e1fe9abf4fe346e4 SHA-1: b65af21519f8433e9fea6e4b214e3cb4c626689c SHA-256: ccd62a60e7a93140156be1f294cf773db6c251d545862849e3912661dab54db9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple external links, with one specifically advertising 'Ares virus mod apk 1.0.7 unlimited money'. This, combined with the heuristic 'PDF_SEO_LINK_FARM' indicating a large number of external links, suggests a phishing or malware distribution attempt. The ML classifier and ClamAV detection further support the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9873

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/123?utm_term=ares+virus+mod+apk+1.0.7+unlimited+money
    • https://gipulafu.weebly.com/uploads/1/3/4/4/134442702/kaner.pdf
    • https://cdn-cms.f-static.net/uploads/4377935/normal_5f92675948330.pdf
    • https://bugupoxe.weebly.com/uploads/1/3/4/8/134850066/votipatigoji.pdf
    • https://cdn-cms.f-static.net/uploads/4366347/normal_5f99314120c1a.pdf
    • https://bisudika.weebly.com/uploads/1/3/4/3/134366448/bawasezanefidan.pdf
    • https://xivenisulebitok.weebly.com/uploads/1/3/1/3/131378814/sojaxom.pdf
    • https://kasugokadudibuk.weebly.com/uploads/1/3/4/7/134740653/5295034.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0243d0ca-17d8-42f1-b062-69a011a77c64/application_vnd.openxmlformats-officedocument.spreadsheetml.sheet_does_not_work.pdf
    • https://uploads.strikinglycdn.com/files/6e9f744c-0b86-404f-8538-795b7b66b899/kepag.pdf
    • https://uploads.strikinglycdn.com/files/035a4c24-b7ce-471f-b35f-2b99da7bf5a7/sifedebetebu.pdf
    • https://uploads.strikinglycdn.com/files/94dbf072-42a3-4ed6-bf8f-b0d8856f3539/belokilu.pdf
    • https://uploads.strikinglycdn.com/files/5cfc21c6-b808-4d32-961a-cf515d9dd003/wakoxuluzomanudab.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbdfe19f3de5e49b52a63ab/1606286873920/bell_tv_guide_niagara_falls.pdf
    • https://uploads.strikinglycdn.com/files/2788bc2e-7c37-4673-b2d5-f3414f990322/75253470202.pdf
    • https://uploads.strikinglycdn.com/files/40673579-2c8d-4966-bebc-e321dd2e9ece/21040228667.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce61.bin
372feba54e913e349f4dd8d7551d5fee64cdacc5e311cbc5bd72e77db02890df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE61 5508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.