Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4123dc5795e51ea…

MALICIOUS

PDF

55.8 KB Created: 2020-11-13 06:06:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 76342337fac6cfa49ae0333b32f76690 SHA-1: be69287a77d934d7777d4543a9393dd4937a4dc9 SHA-256: d4123dc5795e51eabb31f24cdfb70dac9e5c9da57b331e13419446234e0d7045
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to S3 buckets and Weebly-hosted PDFs, indicative of a link farm or redirection scheme. The primary malicious URL identified is traffking.ru, which is likely used for phishing or to serve further malicious content. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/strik?utm_term=blood+bowl+2+trophy+guide
    • https://rolosakuzorega.weebly.com/uploads/1/3/1/3/131379035/tetokesajemidop.pdf
    • https://sazejorewisiboj.weebly.com/uploads/1/3/4/4/134459615/0522866.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kesumasaka/jirixokeputusak.pdf
    • https://s3.amazonaws.com/wekibik/maminesemuxosatizudozemin.pdf
    • https://s3.amazonaws.com/selivuvumepaveb/6537213781.pdf
    • https://s3.amazonaws.com/fosagoba/rozixidusururuje.pdf
    • https://uploads.strikinglycdn.com/files/eb5ecc9e-e5af-4441-90cd-4a5bb8241c03/26075317388.pdf
    • https://s3.amazonaws.com/gofiguj/the_crucible_background_information.pdf
    • https://uploads.strikinglycdn.com/files/e6ce8143-bd71-4110-b502-4112daba6e72/pantech_p6030_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a35e.bin
e78ab22d06050947f7d956e3e508e1c9ee21eb75e2e20c2fb8e1b431e5ae341f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA35E 5348 bytes
font_01_sfnt_off0000b5a3.bin
c8ce0464dbfd1e505b4e569c049b790f13d7eed31349f94fd6b5e7ca95bcaf64		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB5A3 8660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.