Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1a19d045fe23790…

MALICIOUS

PDF

67.8 KB Created: 2020-12-22 11:15:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: c888550f13a59bbe528f3a40e78b5ba3 SHA-1: db9b7b2da889cfcd27730376dc094a4ecc0e625a SHA-256: e1a19d045fe2379083c8a15f59e7cf2560b91a332572299b150c8ff799cb90fe
274 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains multiple heuristics indicating malicious intent, including a link to a known malicious redirector and a brand-impersonation lure for Amazon. The presence of numerous external PDF links suggests a link farm or redirection strategy. While no scripts were explicitly extracted, the PDF structure and embedded links are indicative of a phishing or redirection attack, likely leveraging embedded JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://gorofegi.weebly.com/uploads/1/3/4/4/134462705/8e2eb2dde07f.pdf.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=90s+country+music+90s+country+singers In PDF document text
    • https://cdn-cms.f-static.net/uploads/4427793/normal_5f9e195834b59.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373769/normal_5f891a18db4fa.pdfIn PDF document text
    • https://gorofegi.weebly.com/uploads/1/3/4/4/134462705/8e2eb2dde07f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4402280/normal_5fc7676ce1926.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/gebaxovudofe/rosuvoturujutub.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc7a84402915d4a16f9ca82/t/5fd01c252817830411166f8b/1607474214845/paradise_island_adventure_golf_glasgow_deals.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc7aba6778af068263fedd7/t/5fd5ff9d267c8d0ace3c12e0/1607860127517/admit_card_hssc_pgt_computer_science.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/10d3e432-c698-4a68-b089-b2b0fc3e7dd1/driver_detectiv_keygen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8d4251b-d4df-4e33-9cb4-3d6547788282/najomakelifobopexelefited.pdfIn PDF document text
    • https://s3.amazonaws.com/nuxulikiwab/ibm_cognos_report_studio_fundamentals_training.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5bb03bef-7187-4061-a152-02db481c82a2/39847618475.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc1ac0c8787e87989717060/t/5fc3c07f3f75b1664346be10/1606664321839/dijomizewixujewofe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c3a4e2d1-40ff-48e1-8323-b938384f1459/18801931001.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45587688-23a9-472d-8d71-f5590e49b5ed/r12_to_r134a_capacity_conversion_calculator.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc7b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCC7B 5180 bytes
SHA-256: 9fa0cbbd7ba0e909cc4322bbe4b0f3c4a1564e35ef358b9bbf85b0b6776e4a9f
font_01_sfnt_off0000de10.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE10 10660 bytes
SHA-256: 7ebfe6c7d046df8a5f79aac79d53feb565ddcb10a9a6ffe00850d9fa7274864c

Open this report in the interactive analyzer, or submit your own file for analysis.