Malicious PDF — malware analysis report

Static analysis result for SHA-256 de90a612f3de6c9c…

MALICIOUS

PDF

86.8 KB Created: 2020-12-21 10:14:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3fbed6fbef42dca2aa32f6b2f5afa608 SHA-1: 1d017780c79d4de6fced86c08adc1a318cdffdd2 SHA-256: de90a612f3de6c9c87c80893f9439dbb0075fe7f09891bacab0c34560e94c8e2
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of embedded links, many of which point to external PDF files, suggesting a link farm or redirection to malicious content. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' specifically flags a URL leading to known malicious infrastructure. While no scripts were explicitly extracted, the PDF structure and embedded links are indicative of a phishing or redirection attempt, likely leveraging embedded JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cctraff.ru/strik?utm_term=best+army+builder+for+warhammer+40k
    • https://fisupipegapug.weebly.com/uploads/1/3/4/5/134515512/27cdb.pdf
    • https://tedumuwoke.weebly.com/uploads/1/3/1/3/131397970/nureparor.pdf
    • https://cdn-cms.f-static.net/uploads/4501989/normal_5fc19c7315c1d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/8deca34f-afef-4a10-a276-bf1a4276e673/dakufakijogawu.pdf
    • https://uploads.strikinglycdn.com/files/fe54e8b9-92d1-474b-92a4-082aaaeda7b6/6881880813.pdf
    • https://uploads.strikinglycdn.com/files/3e1e7bce-c8d5-4262-9d47-763e7989fe33/basic_figure_drawing_techniques_greg_albert.pdf
    • https://uploads.strikinglycdn.com/files/b7175c0c-51a6-4159-b9ce-5d960d4655bf/tawidizujalobojekazivov.pdf
    • https://uploads.strikinglycdn.com/files/15a18fd2-f645-4b3d-99f5-4b254503273b/natebemogatozanerovatize.pdf
    • https://uploads.strikinglycdn.com/files/9b081da3-107c-48b4-9a8d-faf63c0ef53d/15746534575.pdf
    • https://uploads.strikinglycdn.com/files/744e4713-91c0-4c7c-a8f6-c8f6970b44d7/17582897643.pdf
    • https://uploads.strikinglycdn.com/files/272203e5-f526-4d3e-8371-4e6265d1f0ce/60967811698.pdf
    • https://uploads.strikinglycdn.com/files/75219e51-8db1-43f2-967b-382744781a14/unblocked_five_nights_at_freddys_4.pdf
    • https://uploads.strikinglycdn.com/files/fc610b6d-c5b2-4125-84d2-f19a65646fda/14613451721.pdf
    • https://uploads.strikinglycdn.com/files/d432de9b-9fef-4396-a0ac-debda629f214/wazunabujok.pdf
    • https://static1.squarespace.com/static/5fdd28e788390d34f381f39e/t/5fddc84ba478394ebc90e82c/1608370253645/xekesolajibikum.pdf
    • https://uploads.strikinglycdn.com/files/570b7259-9753-4494-8bc4-7fc50963a7a6/fisibiwijowetinad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010476.bin
2f4b585d25fa1cb407054430cd969444475492be27c9ec37fd42c949d51db7c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10476 5600 bytes
font_01_sfnt_off000117a8.bin
281320cdfd1974f66fbb64851cbdc45d5b315656b2558fe16240c5ad2a1fd709		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117A8 11788 bytes
font_02_sfnt_off00013fc0.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13FC0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.