Malicious PDF — malware analysis report

Static analysis result for SHA-256 00f638418d805c5b…

MALICIOUS

PDF

95.6 KB Created: 2021-03-19 04:44:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f64c1ad7ee549fa8490788ab567ab5d8 SHA-1: d5d4d1a99de39092691eb4ffef6428d89cfc6cd1 SHA-256: 00f638418d805c5be5d1a383932bed7b43c3c5a7b20e3c00b5875a9b45bbbd54
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. It contains a large number of external links, suggesting a link farm or phishing attempt. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic point towards an attack pattern focused on redirecting users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=aurora+rising+jay+kristoff+pdf
    • https://cdn-cms.f-static.net/uploads/4383687/normal_6017f6cda4dea.pdf
    • https://cdn-cms.f-static.net/uploads/4384308/normal_602d690d763ba.pdf
    • http://instapodarok365.site/casio_fx_115es_plus_only_shows_fractionsuzvqf.pdf
    • https://cdn-cms.f-static.net/uploads/4408993/normal_601c8e2fac00b.pdf
    • http://vedivux.mygamesonline.org/natirenidupojinin.pdf
    • http://kujunat.medianewsonline.com/74161383865.pdf
    • https://cdn-cms.f-static.net/uploads/4479942/normal_5fd64c4ced948.pdf
    • http://fredo.run/versus_the_elite_trials_guidemgqik.pdf
    • https://cdn-cms.f-static.net/uploads/4486054/normal_5fd87c6670173.pdf
    • http://vienvozvrat.site/9144974713520qpo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://09d56968-2ae9-412d-ad86-e67dc63a1c23.filesusr.com/ugd/e8b91f_af19a7a646184598a823a08ec0eb0725.pdf?index=true
    • https://uploads.strikinglycdn.com/files/858c8a84-82ab-4017-8067-902f489b5bd2/xexagoxirazen.pdf
    • http://nejarisiwudu.atwebpages.com/59234033182.pdf
    • https://3fb740b9-71d8-4183-8edb-de11b68c0a29.filesusr.com/ugd/1fbf8b_722300a1511b4d5f9b7c861e2484233a.pdf?index=true
    • https://s3.amazonaws.com/muvojugejoxip/ronafamilivamoderupoxo.pdf
    • https://a2ae8793-a99f-480d-a3bc-849ef63d34f7.filesusr.com/ugd/cc207a_bcc8891d37964079b1abd46056319db6.pdf?index=true
    • https://3d5b2cfc-74f5-4c02-8466-0d369b02955c.filesusr.com/ugd/69b86f_8c25055cec6b42d09fec2b770e6b4243.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5fa35909-763b-41d6-a908-16d9faa8969f/dell_precision_m4600_battery_not_charging.pdf
    • http://nemenarubaz.atwebpages.com/86592852649.pdf
    • https://s3.amazonaws.com/xisakazelelinim/harmonize_kainama_video.pdf
    • https://uploads.strikinglycdn.com/files/a66a4e8a-ad49-4bde-a225-4f8d12f3f935/sennheiser_ew100_g4_review.pdf
    • https://s3.amazonaws.com/xakusineba/derechos_humanos_de_estados_unidos.pdf
    • https://76bf09fe-c378-4d6f-baa9-beaf48595a8b.filesusr.com/ugd/61567a_13f35638cf76408d82be8254244d5528.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ab9736e6-3324-47cb-a3a6-0a873bceb7b0/driver_canon_lide_220_win_7_32bit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011a94.bin
b99ea67dda469a6f6260db4e5846ff80c5558c8f312d04ea9844c5f9e423c705		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A94 3716 bytes
font_01_sfnt_off000127bf.bin
b054bedb017e96931ec18b4be44168b2acc3d91e5d13fcc7918b97118fd58565		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127BF 5172 bytes
font_02_sfnt_off0001396e.bin
9984154dccd37394f951b5ab2c0678b66442259a9cea6ff569aa875170d746a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1396E 13352 bytes
font_03_sfnt_off00016293.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16293 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.