Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb47e28618051309…

MALICIOUS

PDF

82.4 KB Created: 2020-11-25 06:24:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de8bb4296b4b6f14086d32e4ba4bed3c SHA-1: e69e2636beab48f7bc8c136217e18b6ab0833e47 SHA-256: fb47e28618051309641f905ae12ddadc76d0283af87e47baab038c882db00c57
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple links to external websites, with one critical heuristic identifying a link to known malicious redirector infrastructure. The presence of a large number of PDF links suggests a link farm or SEO abuse tactic. While no scripts were extracted, the document's structure and embedded links strongly indicate an attempt to redirect users to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggtraff.ru/strik?utm_term=wolfcraft+4525404+drill+guide
    • https://dudafenerow.weebly.com/uploads/1/3/4/9/134900552/ronizazevaj.pdf
    • https://nimewoguvinu.weebly.com/uploads/1/3/4/4/134433183/xopufo-guwegojom.pdf
    • https://cdn-cms.f-static.net/uploads/4370062/normal_5f934827e516f.pdf
    • https://cdn-cms.f-static.net/uploads/4394062/normal_5fb8193b3494b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/fefurorobumi/3914924739.pdf
    • https://uploads.strikinglycdn.com/files/82b924fb-0647-45d2-bda3-1b73c65ce6d0/21526441048.pdf
    • https://s3.amazonaws.com/buxoparadazegu/contact_management_apple.pdf
    • https://s3.amazonaws.com/babuxufarizuxur/97323148893.pdf
    • https://s3.amazonaws.com/tadevewuju/expedicion_de_cedula_catastral_informada.pdf
    • https://s3.amazonaws.com/febopa/pent_house_for_sale_in_atlanta_ga.pdf
    • https://s3.amazonaws.com/fikuvine/fujorifezib.pdf
    • https://uploads.strikinglycdn.com/files/47bcabf7-79b2-45bd-8155-0e4493471d68/moteur_lombardini_im_250_puissance.pdf
    • https://s3.amazonaws.com/wusigipufuvowix/88047867593.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e33c.bin
fabde8582986e10ce1f8d3dd58d365a059ac3587546560c347cb6b9e39050948		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE33C 5284 bytes
font_01_sfnt_off0000f55c.bin
7ad15b5ec48af0f3a971afd91d1e8c0d57dc008286be44a87716e0d41b9836b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF55C 10544 bytes
font_02_sfnt_off000119a1.bin
8345d1cc2b6b461b856d0454e2cf67edf5851291b6d0ebf21a7da0c9813a2b7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119A1 16028 bytes
font_03_sfnt_off00012de9.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DE9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.