Malicious PDF — malware analysis report

Static analysis result for SHA-256 e136da158a71a8a3…

MALICIOUS

PDF

64.7 KB Created: 2020-12-23 13:12:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e8fb4428e8c9d495b7fb7d056c553fb3 SHA-1: 776b50cc4a31d0487bcc6acd3ed9f6e05bffa77c SHA-256: e136da158a71a8a3d21a64a609dae4eeffca93f654c2e8ef29559fc59b272432
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is a phishing document with a large number of external links, many of which are likely part of a link farm. The primary malicious URL identified is trafffi.ru, which is presented as 'Gizmohub app help'. While no scripts were directly extracted, the PDF structure and link farm heuristic strongly suggest a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/strik?utm_term=gizmohub+app+help
    • https://cdn-cms.f-static.net/uploads/4454973/normal_5fd6236e59a81.pdf
    • https://static.s123-cdn-static.com/uploads/4388820/normal_5fdcd8af29ed2.pdf
    • https://cdn-cms.f-static.net/uploads/4371272/normal_5f8944b45bb3c.pdf
    • https://woxomeze.weebly.com/uploads/1/3/4/4/134498023/gobejizotota.pdf
    • https://fekugutupufug.weebly.com/uploads/1/3/4/8/134876907/supisade.pdf
    • https://jomitapekox.weebly.com/uploads/1/3/4/3/134319499/237b01182a.pdf
    • https://static.s123-cdn-static.com/uploads/4408858/normal_5fe310fb6c3bb.pdf
    • https://nukewixe.weebly.com/uploads/1/3/4/3/134385223/4abd37c9.pdf
    • https://monubigikupo.weebly.com/uploads/1/3/4/4/134493781/ddb54.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fakuguvil/todajuti.pdf
    • https://s3.amazonaws.com/leguvefu/kewata.pdf
    • https://uploads.strikinglycdn.com/files/400f543e-5a3a-4ab3-90bc-d049ecda3437/ffx_energy_blast_early.pdf
    • https://s3.amazonaws.com/sebunuzu/greensleeves_sheet_music_trumpet.pdf
    • https://s3.amazonaws.com/falufusu/xojigoxululesuvazubajoxip.pdf
    • https://s3.amazonaws.com/viregujipowuru/bye_bye_goodbye_super_simple_songs.pdf
    • https://s3.amazonaws.com/vapelurowar/ajooba_full_movie_720p.pdf
    • https://s3.amazonaws.com/kosipefojaw/michigan_dnr_fishing_report_saginaw_bay.pdf
    • https://s3.amazonaws.com/tizowodifi/34387440976.pdf
    • https://s3.amazonaws.com/bejeseja/free_construction_material_list_template.pdf
    • https://s3.amazonaws.com/sabegokek/quitar_mensaje_acceder_a_la_red_android.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c341.bin
a7928d77678bf87f05e6e95ff3bcae21d5e68b66f5eb7d1a9601c8835c8b34bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC341 5004 bytes
font_01_sfnt_off0000d422.bin
d708100ee665a4543c49a20306de5bed5bfaced8f1287da15a2fc3d5058d6d1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD422 9836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.