Malicious PDF — malware analysis report

Static analysis result for SHA-256 e15f60a5ae117fdf…

MALICIOUS

PDF

80.5 KB Created: 2020-12-27 06:11:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7bdfd794ab4285fa9656864002fecf70 SHA-1: 191b69e0c62dc05a70400a690d0387d91d89dcdb SHA-256: e15f60a5ae117fdfc6038005d2f1d3249271424cdc6fd3a86b493656d716406e
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics identified it as a link farm hosted on disposable domains, with multiple external URIs pointing to potentially malicious sites. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs. The presence of numerous unknown reputation URLs suggests a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?utm_term=first+electric+fire+truck
    • https://webunufilijamo.weebly.com/uploads/1/3/4/6/134677486/mamanaranevupi.pdf
    • https://fijojonibiw.weebly.com/uploads/1/3/2/6/132681787/a8401ec7a9859.pdf
    • https://cdn.sqhk.co/jegisizozul/hjahdL4/garoxusolumagibixakas.pdf
    • https://cdn.sqhk.co/fevivesuxofo/EhiEtG4/46098057957.pdf
    • https://xewoweduvaji.weebly.com/uploads/1/3/4/6/134680405/6ddd657093a73.pdf
    • https://cdn.sqhk.co/dasoxitif/Jw40ggc/18228428828.pdf
    • https://mufudoxideli.weebly.com/uploads/1/3/4/5/134508761/kizatiza.pdf
    • https://ratopavitakam.weebly.com/uploads/1/3/4/4/134460251/3710459.pdf
    • https://lagukekejase.weebly.com/uploads/1/3/0/8/130815031/8661075.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f48679e5-2a9d-473a-9371-3c603e9af1fd/88834748218.pdf
    • https://uploads.strikinglycdn.com/files/f296552a-ddca-4ade-8198-f37c5ac9be72/letax.pdf
    • https://uploads.strikinglycdn.com/files/8e58cb67-3cbc-45c3-b9ee-58f7bb7aca1c/99928624294.pdf
    • https://uploads.strikinglycdn.com/files/73410d6c-a3ff-4ee0-9824-2b4dd6e7cf58/10148173394.pdf
    • https://uploads.strikinglycdn.com/files/8cd21fbd-8e13-405c-8509-ad9f7d33ab1c/nero_7_portable_descargar_gratis.pdf
    • https://uploads.strikinglycdn.com/files/a432ae7f-e482-408c-8011-bed278feb2e3/42003978335.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddfd.bin
a71bb61195023f6421fcef94453fe6aeb8e806aa8aa50642b41592fc78b45642		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDFD 9512 bytes
font_01_sfnt_off0000fde1.bin
9c1acf6d101251fc299b1836f1667f0578ac1f6f4230a02d79842ab2b0c5ae89		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDE1 4684 bytes
font_02_sfnt_off00010de8.bin
c101e743ea18e5d355d1e26172b1e4bc22bb4015716331c740f2da444d48785b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DE8 11804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.