Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7b56f51989a5f63…

MALICIOUS

PDF

70.0 KB Created: 2020-12-18 04:48:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: da03caf4b69da9dc1d0d0507d2443073 SHA-1: 77f4e3d0b76aeba7353bf4a920223b9ea2b68d1c SHA-256: e7b56f51989a5f63e7910a044cb9bca2b08d6e689aa76c5ea1de128c78096e6c
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic indicating it is part of a link farm, with one of the external URIs pointing to a suspicious domain ('traffine.ru'). The ML classifier and ClamAV detection strongly suggest malicious intent. The document body, though heavily obfuscated, appears to be a lure related to a 'supply list', which is a common tactic for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/strik?utm_term=webb+middle+school+supply+list
    • https://wilunozuwi.weebly.com/uploads/1/3/4/4/134432110/xofovobexinedoso.pdf
    • https://simogewijak.weebly.com/uploads/1/3/4/6/134642120/bd8c21a40acbad.pdf
    • https://vexepagofebove.weebly.com/uploads/1/3/4/8/134866030/0660f75bddb8a72.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/b48b0b90-788f-4426-9364-7178736b4870/tepawogifutafir.pdf
    • https://s3.amazonaws.com/feseni/acrylic_sheets_for_sale_in_miami.pdf
    • https://uploads.strikinglycdn.com/files/ad896895-e807-418b-bc54-f42912c60298/krylon_crystal_clear_glaze.pdf
    • https://uploads.strikinglycdn.com/files/05b76803-8e1d-49b8-b119-d8ff94cc709a/terraria_metal_tiers.pdf
    • https://static1.squarespace.com/static/5fc578abd49dd1244753261b/t/5fc688c7a97599144edc714f/1606846664622/h._264_dvr_password_recovery_by_technical_th1nk.pdf
    • https://uploads.strikinglycdn.com/files/5a0f1680-3389-4739-8088-dc7c93f0365a/6241992112.pdf
    • https://uploads.strikinglycdn.com/files/c65b2457-b532-468e-a06a-ddefb39370cc/23964166380.pdf
    • https://uploads.strikinglycdn.com/files/216f3054-0cc2-493f-a598-ea77310e21b2/13516705941.pdf
    • https://static1.squarespace.com/static/5fc0d4086b97992eb55bb7f9/t/5fc9c55a196a600d3c31bb57/1607058779731/32912307954.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c687.bin
6e4356f167d21d997c909796e6206902d3bf06f0fe7e998fce3e91a931108208		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC687 5036 bytes
font_01_sfnt_off0000d7bc.bin
ba9e06000e671c5d9be068f19f37b90e11955518a21fb44b5c6b95f701523a8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD7BC 11000 bytes
font_02_sfnt_off0000fd0e.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD0E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.