Malicious PDF — malware analysis report

Static analysis result for SHA-256 e49c43ee8c836835…

MALICIOUS

PDF

72.2 KB Created: 2020-11-20 00:10:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: d166eaeb2f0848bc9778bc15507f5c06 SHA-1: 78b7730c61c0935fc4e96d1ffdbf5966b95c5284 SHA-256: e49c43ee8c8368358c7ed8d828d11023323dfa240bcf5dbe140aaf9d67aa52e3
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to external resources, including a known malicious redirector. The document body, though heavily obfuscated, suggests a lure related to a free dictionary. The presence of a malicious redirector and the sheer volume of links indicate an attempt to drive traffic to malicious sites, likely for phishing or malware delivery. ClamAV also detected this file as Pdf.Phishing.Trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?utm_term=english+to+german+dictionary+free++pdf In PDF document text
    • https://cdn-cms.f-static.net/uploads/4450428/normal_5f9ffd2604794.pdfIn PDF document text
    • https://gazesomudari.weebly.com/uploads/1/3/1/0/131070071/fa448.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4461780/normal_5faf7a36bd8b9.pdfIn PDF document text
    • https://nutikatike.weebly.com/uploads/1/3/4/6/134601603/vogatar.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386094/normal_5fb599ea2faef.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/kewakuko/37025956201.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/61eee9ad-69d1-4d53-98f3-9aab0605b201/palajapisovifajuz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/265149a4-7aaf-4b3e-b7a2-8b5b34499fda/chemistry_ph_and_poh_calculations_wo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a9446ca5-95c3-4134-910f-a2c07abfbedd/satusugakezuvimod.pdfIn PDF document text
    • https://s3.amazonaws.com/widofafane/diranekenedenigon.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/73f6962b-cec0-4d41-a325-40e7196b1dc6/pes_2013_galatasaray_stadyum_yamas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f3ccedb-3137-43bc-aa43-b3db248282df/piriwesexamigamanumotuzel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/79fd44a9-81a9-48c1-91f8-f9b953a95926/48153562238.pdfIn PDF document text
    • https://s3.amazonaws.com/lunojol/green_8_ft_sun_dolphin_aruba_kayak.pdfIn PDF document text
    • https://s3.amazonaws.com/vukumesoj/13931907294.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/916d959e-0c58-4714-86b0-8f6c3c358df7/mastering_the_american_accent.pdfIn PDF document text
    • https://s3.amazonaws.com/wazorixekunafob/ragdoll_simulator_2_codes_2020.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d0a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD0A2 5416 bytes
SHA-256: 8eb1c9c8b5184583f159bf36ffaab500c9f97667608e4b2dc93080d83c39ba02
font_01_sfnt_off0000e2e8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2E8 10032 bytes
SHA-256: a15ffa2de6a221e0c531167a608a176a4b506a4330f68a7ebfeaee23bcfd8be2
font_02_sfnt_off00010565.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10565 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333

Open this report in the interactive analyzer, or submit your own file for analysis.