Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5d998c1f40e0ac3…

MALICIOUS

PDF

67.1 KB Created: 2020-12-18 13:22:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 06d3d183f3c2a868e4d9f3d6dbf4b119 SHA-1: 796e1ea96bee42a2b6016ea21f1a0391c815a682 SHA-256: d5d998c1f40e0ac38206c28d693e87604f408fa1d02aa1706499595c0d7958eb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating it contains a link farm and an external URI. The embedded URL `https://traffset.ru/strik?utm_term=hoover+linx+cordless+reviews` is suspicious and likely leads to a phishing or malware distribution site. Although no scripts were explicitly extracted, the PDF structure and the presence of external links suggest an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=hoover+linx+cordless+reviews
    • https://lopinelu.weebly.com/uploads/1/3/4/3/134369173/lanixinoxafu_zaxakezaw_xufegumuwokomus_naxav.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static1.squarespace.com/static/5fc0e9f1b8467722f1d45afd/t/5fca3bd34e3f3d251746a87c/1607089107720/origami_animals_how_to_make.pdf
    • https://s3.amazonaws.com/rowubunak/fixamugijelivi.pdf
    • https://s3.amazonaws.com/gumegulaxi/89066071785.pdf
    • https://s3.amazonaws.com/muvunekagok/kufijozorajevorikam.pdf
    • https://s3.amazonaws.com/jiwisi/84770940583.pdf
    • https://static1.squarespace.com/static/5fdc7b6f43483e57e2cf12c2/t/5fdc90a299d54e3fc07e22cd/1608290467880/bangla_video_gaan_karo.pdf
    • https://s3.amazonaws.com/mejifavo/katebelukufomozumosadi.pdf
    • https://static1.squarespace.com/static/5fc07dde27a199023ab34438/t/5fc13395f8cdb769c60eed33/1606497173884/paragraph_organization_practice_worksheets.pdf
    • https://static1.squarespace.com/static/5fc0d12c3dfdd95b60d4a66f/t/5fc2f9b7f3de5e49b5c694a7/1606613432328/best_weight_gain_pills_for_males.pdf
    • https://static1.squarespace.com/static/5fc0c66b27a199023ab4af32/t/5fc6ffcf3ac9c763f4cc52f7/1606877136914/big_launcher_pro_mod_apk.pdf
    • https://static1.squarespace.com/static/5fc119b992c50b1a1e78b725/t/5fcdcdad2fa8bc6bcd0a28f6/1607323055050/72737726181.pdf
    • https://static1.squarespace.com/static/5fc66f49a13a450bab1a5f60/t/5fc82468dcb5b26079703e01/1606952040983/human_thorax_diagram.pdf
    • https://s3.amazonaws.com/migivewuwe/role_of_law_enforcement_agencies.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb70.bin
d444ea7e91cb8e6883465ffb167ea557d6c2b68784735c9b1b5dee764c29fd96		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB70 4904 bytes
font_01_sfnt_off0000dc44.bin
ae72a37eaebefb37d3d1e2c6cee41741733c4735449e4e7c485677c152914f81		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC44 10444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.