Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8d86d896222e326…

MALICIOUS

PDF

66.6 KB Created: 2020-11-28 10:21:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: 29aa32570c20a03c2ef2380ec9658e38 SHA-1: 018adf7f608dd34077ff63d2fa599bafe9abdd82 SHA-256: d8d86d896222e326c916f83b6da83c2ca1425fed3d9a085e4966ed09b86fb572
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded links that redirect to known malicious infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The ML classifier and ClamAV also flagged this file as malicious. The document body, though heavily obfuscated, suggests a lure related to educational content, likely to trick users into clicking the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9357

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gettraff.ru/aws?utm_term=simplifying+exponents+with+fractions+worksheet In PDF document text
    • https://cdn-cms.f-static.net/uploads/4491926/normal_5fb8bbb001bb4.pdfIn PDF document text
    • https://rewudorabemomaf.weebly.com/uploads/1/3/4/2/134234845/61cc6.pdfIn PDF document text
    • https://kuzaloxamuw.weebly.com/uploads/1/3/1/4/131406684/1523737.pdfIn PDF document text
    • https://tupekado.weebly.com/uploads/1/3/4/5/134514551/2738533.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.thdl.org/http://www.thdl.org/TibetanIn PDF document text
    • https://s3.amazonaws.com/zalisujezajaje/givafekawutizubiwiris.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d8f1937f-1120-490a-8fa4-5b25d2a19ba7/90915114157.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/60dbc72a-07ad-43c8-b2a0-3af7b304dde8/51499377155.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bddd1c13-c820-4c5b-91ea-981136320482/japanese_grammar_nara.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f687d02-8b81-4c86-9044-765f1da5d0e9/65265621498.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c0b901b-b550-4ade-82ca-ea7d43cfdd90/95646941795.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f3c886ce-c716-4460-83b1-e62e9446868b/pefimexopovak.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/103e374b-5fad-4494-a2fa-ba2fd319b14f/bovotupaseberadofimakok.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlTibetanIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b6eb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB6EB 6196 bytes
SHA-256: 067f564a2bb32e98a0822f6b60aba04c95ced3a47167b8057a009f9b28b1cdb0
font_01_sfnt_off0000cc0d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCC0D 5648 bytes
SHA-256: 29eb4e6f1a245763b4610ebeb105aabc92430d44a7a3013c121aa94d42d26047
font_02_sfnt_off0000df28.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF28 8668 bytes
SHA-256: a29c3f37f2cf1fd32f0a4d657e3dd71b88c1f85506478ae66af1ea550c0efdac
font_03_sfnt_off0000f00b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF00B 9636 bytes
SHA-256: 4322fe640eeca0b96060c32f137fe1e021ddc72f1b7223b194e12166f160fbfb

Open this report in the interactive analyzer, or submit your own file for analysis.