Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd4c4101c8c6bc62…

MALICIOUS

PDF

118.6 KB Created: 2021-01-09 17:36:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0ebc3a0f9bfc53d4190fa624cd64d5a5 SHA-1: 3a38a392b3daa0a7bb6c098e8d0209463078f396 SHA-256: cd4c4101c8c6bc62212e720f57ed7182b4387f78955b7b4153c347f62c897c45
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link to a known malicious redirector infrastructure, indicating a phishing or malware distribution attempt. The ClamAV detection further supports its malicious nature. The document body, though heavily obfuscated, contains text that appears to be a lure related to "Armed response 2017 english subtitles", likely intended to trick the user into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2941

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffmen.ru/aws?utm_term=armed+response+2017+english+subtitles
    • https://cdn.sqhk.co/loxowopiv/7gfjbjg/imdb_movies_2020_bollywood.pdf
    • https://cdn.sqhk.co/vujagefamig/kSlfjil/fun_activities_for_distance_learning_kindergarten.pdf
    • https://cdn.sqhk.co/tasokuxu/jiehjje/kpop_free_music_download.pdf
    • https://cdn.sqhk.co/gukawaki/hihzFsu/zombieland_2_madison_bitten.pdf
    • https://cdn.sqhk.co/zudoputasafe/idie56s/deal_finder_websites.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102Hussain
    • http://smc.org.inhttp://smc.org.in
    • http://www.indictrans.org
    • http://www.opentle.org
    • https://s3.amazonaws.com/luropi/norman_north_marching_band.pdf
    • https://s3.amazonaws.com/jezobasit/piwagajoforovaxukiv.pdf
    • https://uploads.strikinglycdn.com/files/245c2fa3-1137-4e13-946b-a6b632562292/relezujidus.pdf
    • https://s3.amazonaws.com/gavexilatuvitaz/additionsverfahren_textaufgaben.pdf
    • https://uploads.strikinglycdn.com/files/7ec5cc07-968a-4d19-a0e6-76e932d828a3/92268126917.pdf
    • https://s3.amazonaws.com/xuvamuba/42902531880.pdf
    • https://s3.amazonaws.com/zetare/12343841503.pdf
    • https://uploads.strikinglycdn.com/files/5ae24ff8-1d8c-4c46-93ec-13fecfba4788/nitasawanivivizuk.pdf
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • https://gitlab.com/smc/meera/blob/master/COPYING
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010577.bin
2e595141cfc5a730015d867094056734cd151f5b215480bba884d522f17c5808		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10577 7916 bytes
font_01_sfnt_off000119d7.bin
07900fcf2164fb784370b9757e9926dcbe6d761aaaab6ddf95fe84ecd99a2b3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119D7 3344 bytes
font_02_sfnt_off000125c5.bin
ef7c847fb2c0426ec3032ab0026cc9ec1e42dad3ad17b72c907bc454047fe093		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125C5 5696 bytes
font_03_sfnt_off00013901.bin
ff8289fcab20b7b81f5dc7c47458689637225d7099c48932a46d6898d6123f6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13901 2656 bytes
font_04_sfnt_off00014406.bin
2a2f73c0ee504ae8509221dab9a50e72e6c400a18e3952d3eee660ba18a0c3b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14406 4140 bytes
font_05_sfnt_off00015123.bin
b5c6b6e0c9ada0bf1c6b02372d38a6194b0fc304f51b15768a03b7bd417def48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15123 3048 bytes
font_06_sfnt_off00015d32.bin
18b250f24057ce91e4a59b25c1eec79fa8b4d7e2cb9f6c0de02c7e032a072fd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15D32 2328 bytes
font_07_sfnt_off000167e9.bin
5fd53e2058c4f5d98b70161d670f1e42036942552fef68ac845a5e47e2d7f715		 pdf-font-stream PDF embedded font (sfnt) at offset 0x167E9 2604 bytes
font_08_sfnt_off000172cb.bin
dd0eb7326fce84c8602cd97ec380383cc43fdd970f0f514f70e4045003fb9d22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x172CB 24312 bytes
font_09_sfnt_off0001af83.bin
5fc9e2cd4e7ad04544edda2023dd698132b65daf167a61e09de9fd8de66d8b52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AF83 2108 bytes
font_10_sfnt_off0001b95e.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B95E 4336 bytes
font_11_sfnt_off0001c6fe.bin
e083dd25ee5ba9809ffb23ab2b0bca38ecf76c255bfe8166211c466556e38b8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C6FE 5748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.