Malicious PDF — malware analysis report

Static analysis result for SHA-256 f96e6e3ff95c78e2…

MALICIOUS

PDF

62.3 KB Created: 2020-11-21 03:05:04 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: eda1c9e4ca52d79ab9ee0e7f81fb601d SHA-1: f5ab4d04b3528941c43883031ac59b7224791f56 SHA-256: f96e6e3ff95c78e22bea37bb5e6a6321b62124b92600096c1a18374d92dfa56e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, suggesting it is part of an SEO spam or phishing campaign. The embedded URLs point to various hosting services, likely serving as lures to malicious content. No scripts were extracted, but the presence of numerous external links indicates a high likelihood of redirecting users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/123?utm_term=forever+you+re+my+king+lyrics PDF link annotation
    • https://xenolonaloku.weebly.com/uploads/1/3/4/4/134458783/949a796ff.pdfIn PDF document text
    • https://mirotimazafisel.weebly.com/uploads/1/3/4/3/134352803/6420404.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414336/normal_5f9c1074cacc2.pdfIn PDF document text
    • https://kovegebefubiz.weebly.com/uploads/1/3/4/6/134665714/03a047372c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368506/normal_5fadd68de03ea.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365536/normal_5f86f51255625.pdfIn PDF document text
    • https://xifobosakup.weebly.com/uploads/1/3/2/8/132815359/najebepo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4450631/normal_5f9fcbfde8793.pdfIn PDF document text
    • https://jufikaparilo.weebly.com/uploads/1/3/4/5/134592165/5549765.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/b131639d-1895-44b9-80a9-982f30b2a760/35066851723.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8b0bd810-bb44-4302-bef9-f7d7781e529a/narimide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1c96367e-91c4-4cf2-90a9-bd9e571b3622/zikago.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ab2f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAB2F 4892 bytes
SHA-256: cd5474b0091294c2d42aa09536449f93cf9c3cbd8add9bcc03aec2c12f2a4f83
font_01_sfnt_off0000bbc3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBBC3 10100 bytes
SHA-256: 26266bc29f6945869c9b2a9d61c95b239a612c4b1ed3d3d9a4c9ece6f75a3c37
font_02_sfnt_off0000de5c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE5C 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378