Malicious PDF — malware analysis report

Static analysis result for SHA-256 d71ce5e2d1972206…

MALICIOUS

PDF

97.8 KB Created: 2020-12-25 19:40:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be468e1e56f8ed26ef67b2c5ff77f00a SHA-1: 13c2c911d1e6d5e210261aa6aa7c86f8c1761c00 SHA-256: d71ce5e2d19722065e5c656a06c14ff78e7dadcad3afc8076d879aed925a248c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, characteristic of a link farm designed to distribute traffic to various malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware delivery. While no scripts were explicitly extracted, the PDF structure and numerous external URIs suggest it's designed to lure users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/strik?utm_term=lobbyist+groups+are+often+funded+by
    • https://cdn.sqhk.co/zifalulog/9ibhiia/xavejonezexabemunufolik.pdf
    • https://gejuvidafi.weebly.com/uploads/1/3/4/4/134456396/sevutinokitad_zonigageweli_lalifufemiviro.pdf
    • https://kurenilomu.weebly.com/uploads/1/3/4/0/134042522/sogazofokotidu.pdf
    • https://cdn.sqhk.co/xivumatozo/Hiehfgh/hill_climb_racing_2_new_team_event.pdf
    • https://satufimitu.weebly.com/uploads/1/3/4/7/134715308/8448804.pdf
    • https://jerexibim.weebly.com/uploads/1/3/4/6/134654770/lalakox.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zategafozasiru/21756100891.pdf
    • https://s3.amazonaws.com/vavabi/census_south_africa_2011_results.pdf
    • https://s3.amazonaws.com/pasawexawinogad/kia_cerato_2011_user_manual.pdf
    • https://s3.amazonaws.com/gudukupir/4465374613.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014061.bin
357f7c1fdfa89851ef3aa9206654ced8ebc6387d690389b78dae29da492eca1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14061 5360 bytes
font_01_sfnt_off000152af.bin
80f3f161ebc766ed802f199596f0db033ef6e01085cc46c81e589e1e88629d90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x152AF 11828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.