Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6df3e4ab3316a05…

MALICIOUS

PDF

131.3 KB Created: 2020-12-19 08:25:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 6068d060064b01446ac14c2bee217c97 SHA-1: 16975119403b061dbd7ebe7e6ae6bfb3ee9d125c SHA-256: f6df3e4ab3316a0553e569c010701559134aadf40fde23a72047d6149370bd15
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded links, with one identified as a known malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting an attempt to distribute malicious content or engage in SEO abuse. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware delivery via the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/123?utm_term=w+shape+properties+metric In PDF document text
    • https://cdn-cms.f-static.net/uploads/4366949/normal_5f960706182a7.pdfIn PDF document text
    • https://vonubaxuted.weebly.com/uploads/1/3/1/4/131452839/8536171.pdfIn PDF document text
    • https://nokesopupikes.weebly.com/uploads/1/3/4/7/134767934/3788309.pdfIn PDF document text
    • https://fobewesepujub.weebly.com/uploads/1/3/2/3/132303403/9396850.pdfIn PDF document text
    • https://kezagoguz.weebly.com/uploads/1/3/4/1/134131769/3155726.pdfIn PDF document text
    • https://virataxutepubom.weebly.com/uploads/1/3/0/8/130874282/30bfad0a6af73ae.pdfIn PDF document text
    • https://dupizonax.weebly.com/uploads/1/3/1/3/131380343/pomuxu-dexikodawopitan-xajuramukuz.pdfIn PDF document text
    • https://xezuzevujuniz.weebly.com/uploads/1/3/4/5/134586082/mabovuke.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/divikufifir/waxatiguwumanalevitig.pdfIn PDF document text
    • https://s3.amazonaws.com/jinabisura/us_army_helicopter_game_apk.pdfIn PDF document text
    • https://s3.amazonaws.com/kewakuko/suwululuf.pdfIn PDF document text
    • https://s3.amazonaws.com/lixuduwonifa/32326543560.pdfIn PDF document text
    • https://s3.amazonaws.com/zonebon/wosebut.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001c018.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C018 4836 bytes
SHA-256: b6c8f1deaade0634543d2106197741a41a4e03c4e20ca4e973f34085e82de0c1
font_01_sfnt_off0001d08c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D08C 9656 bytes
SHA-256: fc8d2e345bb8394f7b7c5d6ba7b89b73c0f7df2ce290d7cdb34df14eb5264bd8
font_02_sfnt_off0001f1a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F1A2 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3