Malicious PDF — malware analysis report

Static analysis result for SHA-256 d40bda59d6d8070a…

MALICIOUS

PDF

73.1 KB Created: 2020-11-18 12:20:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c54a4158c42bdfbe3273887253f15f5 SHA-1: da497af1a133a2180ae7c118013f8cee3b0c4df5 SHA-256: d40bda59d6d8070a00cab1ea7bbbab83e56575ad734e26628251f82ad073a0c0
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document exhibits characteristics of a phishing lure, specifically using a 'Browser extension / update installation lure' to trick users into downloading a payload. The presence of numerous external links, including one pointing to 'trafficel.ru', suggests an attempt to redirect users to malicious sites. ClamAV detection and ML classification further support its malicious nature, indicating it likely serves as a dropper for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/aws?utm_term=circuit+simulator++java
    • https://sibomimotilelib.weebly.com/uploads/1/3/4/2/134235458/7360883.pdf
    • https://zovotinaselon.weebly.com/uploads/1/3/4/5/134589175/2777453.pdf
    • https://xukusoresi.weebly.com/uploads/1/3/4/4/134488105/nevopak_wosilimol_degogebupunotu_dufemowubifobu.pdf
    • https://maxubuzidam.weebly.com/uploads/1/3/4/4/134486229/8195920.pdf
    • https://bitifuzafaf.weebly.com/uploads/1/3/4/4/134488734/dolipaxisiza-ganapowavo-zolano.pdf
    • https://cdn-cms.f-static.net/uploads/4375887/normal_5f9ee65f5d886.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/boxalewijim/saga_de_los_androides_dbz.pdf
    • https://uploads.strikinglycdn.com/files/d42d48f7-0b82-49cc-a53c-102ffc84b545/bogoxobetabavonezija.pdf
    • https://s3.amazonaws.com/vibuvomomuv/77966199134.pdf
    • https://s3.amazonaws.com/kevava/rekuwesosabir.pdf
    • https://s3.amazonaws.com/sasufufa/jezabo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e290.bin
d65afc5576fba72bdbcd743b00977fa67af45eb22f366882c5eb2e47f8c0e489		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE290 4984 bytes
font_01_sfnt_off0000f370.bin
c62a3ab9c9a8c424bbad3dcada8eef3ca19c423421cfd595b0dfc2fbf5a6c88b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF370 10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.