Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddb586293e2a81c2…

MALICIOUS

PDF

74.6 KB Created: 2021-01-05 20:38:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e8a67e3221d3dc4ea85be572e12097ba SHA-1: 7c715ab095e9f9fa983f90622bbd91a469072919 SHA-256: ddb586293e2a81c20e0c5001b55d2e9af1e8fcbe22593549faa8df5d739d335e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF link farm', suggesting a tactic to drive traffic to various websites. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or SEO spam. Although no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of malicious activity, potentially leveraging embedded JavaScript for redirection or obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/aws?utm_term=network+security+pdf+free
    • https://cdn.sqhk.co/panosiritu/ihishdC/pemowomizivomorikupuwa.pdf
    • https://wuwawibef.weebly.com/uploads/1/3/4/6/134608234/pofewi.pdf
    • https://cdn.sqhk.co/bajipugotox/jhdia5h/96053715462.pdf
    • https://cdn-cms.f-static.net/uploads/4480579/normal_5fb6b077502e0.pdf
    • https://cdn-cms.f-static.net/uploads/4472760/normal_5fd126620b583.pdf
    • https://static.s123-cdn-static.com/uploads/4452599/normal_5fde2f82312d0.pdf
    • https://cdn-cms.f-static.net/uploads/4403557/normal_5fb59b8c58417.pdf
    • https://cdn-cms.f-static.net/uploads/4485576/normal_5fb8adf44a6cf.pdf
    • https://cdn-cms.f-static.net/uploads/4469623/normal_5fbae4547541b.pdf
    • https://fosozofafeg.weebly.com/uploads/1/3/1/8/131856121/nirenoxomub.pdf
    • https://cdn-cms.f-static.net/uploads/4453326/normal_5fa3aeb4a588d.pdf
    • https://cdn-cms.f-static.net/uploads/4496616/normal_5fe9946baaf20.pdf
    • https://cdn-cms.f-static.net/uploads/4478125/normal_5fb273fbb820b.pdf
    • https://vurazomuloja.weebly.com/uploads/1/3/4/3/134322302/1775954.pdf
    • https://juvipafas.weebly.com/uploads/1/3/4/5/134583250/wegetugufubetalewov.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000dcf2.bin
b6587dcc356cfeafa6392833c032e104e3db430aa29825adacb07fea13ad1425		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDCF2 9672 bytes
font_00_sfnt_off0000cb4c.bin
108b0fd5d22e8025520646a4410f22d680ea3ac30c5f753b54d49db41446a7b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB4C 5132 bytes
font_02_sfnt_off0000f851.bin
3bf9b00167121f2f5e21070040588384c9b5590a93b59368df9a33c50657aea2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF851 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.