Malicious PDF — malware analysis report

Static analysis result for SHA-256 f148649c36ca3382…

MALICIOUS

PDF

62.8 KB Created: 2020-12-16 19:42:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5c42abdf8d3dee4186a7fdede6ba34fb SHA-1: 596167173bd46f0bb536bc523e8b880a248923a2 SHA-256: f148649c36ca3382656a8ab000af46bfb8053b53985034ac1b8c24bf4cd581ae
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, with at least two pointing to disposable hosting services, suggesting a link farm or phishing lure. The presence of external URIs and the 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic strongly indicate the document's purpose is to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/123?utm_term=where+to+get+straw+and+quarried+stone+in+skyrim
    • https://kupanonul.weebly.com/uploads/1/3/4/6/134682697/duvijodetan.pdf
    • https://nulebudi.weebly.com/uploads/1/3/4/5/134593979/5885489.pdf
    • https://tuxitusonodedin.weebly.com/uploads/1/3/0/8/130873989/7396204.pdf
    • https://rigafefabapamum.weebly.com/uploads/1/3/4/4/134486683/kixasonedi-sebalize.pdf
    • https://megadezatesaram.weebly.com/uploads/1/3/0/7/130776649/3957612.pdf
    • https://buxijoxusezo.weebly.com/uploads/1/3/1/4/131483018/vujedekofofutu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1c83be01-42ca-4699-ac57-0b07426e5c90/ximelujuduxepobuxesu.pdf
    • https://uploads.strikinglycdn.com/files/fdfbd151-c2fe-493c-9684-a8e758d7cb3b/biology_igcse_z_notes.pdf
    • https://uploads.strikinglycdn.com/files/c5e99ffd-b7de-4e9a-82ff-172f660c065e/23465509676.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf63b7f8cdb769c6dad28d/1606378423775/88319313684.pdf
    • https://static1.squarespace.com/static/5fc57c6e085bf90c0e1c1b48/t/5fc9f5fb52b5874c8594f298/1607071228264/wifi_mobile_data_switch.pdf
    • https://uploads.strikinglycdn.com/files/8843e2f0-cdc6-4768-904d-d34e6c3c5c3c/47898399144.pdf
    • https://s3.amazonaws.com/sojaxub/tri_fold_brochure_mockup_template_free.pdf
    • https://s3.amazonaws.com/juzinaramip/fatososodelukuzijirofego.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b897.bin
9bd89876c70ceced08a2f51e67ca0f4c429a7c52bd65b9b81fe4d3477dd00b1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB897 5604 bytes
font_01_sfnt_off0000cb95.bin
f343d1ad816a2cbc89e8967b90a548d5781e89531d0ccd3587c556e6e4715d0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB95 10200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.