Malicious PDF — malware analysis report

Static analysis result for SHA-256 01b285e8fb058b72…

MALICIOUS

PDF

128.7 KB Created: 2021-03-24 00:25:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: 7337c4d64f3d98a746006180d47f8f23 SHA-1: 035880b0fa55b093512ca50d21743b5fb42f5526 SHA-256: 01b285e8fb058b72be5b803260bd274341ef39594087953b5c0270cc7ce36bc9
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many pointing to disposable domains and Weebly-hosted PDFs, indicating a link farm designed to drive traffic. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for distributing further malware or phishing content. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic confirm the document's purpose is to redirect users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9767

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=a%2526e+biography+william+shakespeare+worksheet+answers PDF link annotation
    • http://wukosuwusa.iblogger.org/87583532599.pdfIn PDF document text
    • https://firizuvamo.weebly.com/uploads/1/3/4/6/134618899/togazo.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4401540/normal_603452fe26278.pdfIn PDF document text
    • https://josifajine.weebly.com/uploads/1/3/4/7/134761936/78ff5bae.pdfIn PDF document text
    • https://tivepikilusu.weebly.com/uploads/1/3/4/7/134759048/67b2b61adbcb.pdfIn PDF document text
    • https://poxatekegevu.weebly.com/uploads/1/3/4/7/134753674/4755580.pdfIn PDF document text
    • https://jimekomu.weebly.com/uploads/1/3/1/4/131453536/sinusumivaneto-lojotuxavo.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481291/normal_5ff2dc1d9fbc8.pdfIn PDF document text
    • https://wegenagozej.weebly.com/uploads/1/3/5/3/135394478/juwozugetejegeko.pdfIn PDF document text
    • http://totaxusozavu.sportsontheweb.net/research_article_writing_format.pdfIn PDF document text
    • https://jevezorubik.weebly.com/uploads/1/3/4/8/134864628/pupozeno.pdfIn PDF document text
    • http://nenegifivujaxu.mypressonline.com/attestation_de_prise_en_charge_tudiant.pdfIn PDF document text
    • http://liseveziko.iblogger.org/what_is_alphatrak_control_solution.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.indictrans.orgIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://waxetip.rf.gd/rozetonuxipuwijavezijorot.pdfIn PDF document text
    • http://ganesuk.epizy.com/34624103161.pdfIn PDF document text
    • http://kediditu.rf.gd/coreldraw_x7_with_keygen_free_utorrent.pdfIn PDF document text
    • http://pajamenu.rf.gd/2006_honda_civic_hybrid_engine_for_sale.pdfIn PDF document text
    • http://mizozibobekujul.rf.gd/77322383018.pdfIn PDF document text
    • http://mipojumujudi.rf.gd/cisa_certification_books.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001103e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1103E 7296 bytes
SHA-256: e0bad6fb0b4f53ced59756dc863c5620ff72a406f169f998c446ed768d364bb1
font_01_sfnt_off000122d7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x122D7 4432 bytes
SHA-256: 317d28efe7bb1e217385d84a525e03fc0ce878bada1e7699ea0380014c495a72
font_02_sfnt_off0001320a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1320A 3472 bytes
SHA-256: 1dd655bdf5ab71ec3e4361d55f14beba82cc6c3ab56161d8f75a0c2af1cbf7f1
font_03_sfnt_off00013d1a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13D1A 6196 bytes
SHA-256: 1a596e4ddaaf2a4890ff800d7f8f0f3f1ecf7362bc2539bec37e77750cece4c9
font_04_sfnt_off00014c26.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14C26 3884 bytes
SHA-256: 5e5dd308dfba920e8eb8650f306298d0a66ec520e786b50856d4113b6c90bf7a
font_05_sfnt_off0001584b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1584B 3732 bytes
SHA-256: 3969ac3773bdd222cc3bf495d25cbc4dc72afdda0311f502aefa3ef7d7af407f
font_06_sfnt_off0001638d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1638D 1780 bytes
SHA-256: 0f408e917c785d510e7d7259f341e5af3a6d1d5f662e81e96fbbf3548d060f80
font_07_sfnt_off00016c66.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16C66 29236 bytes
SHA-256: e6b1926dfdc597ca1b3114e28d236d26a8ee0ac7226aa700e9b970c0e9768028
font_08_sfnt_off0001b0d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B0D6 17100 bytes
SHA-256: f71e0b55fd1e0d379457b1df431053c40d78ca6c6977a1305445235137d3c5a8
font_09_sfnt_off0001c9aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C9AA 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2
font_10_sfnt_off0001d7b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D7B3 2448 bytes
SHA-256: 997b2a54a8fa5b2450e641f8943e2b4ad22558c42de1bebf02c5715e2d129e8f
font_11_sfnt_off0001e18e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E18E 6360 bytes
SHA-256: 5527bc18b5306c6bd3d2ddb45f09045e2f1fab2ad17fec1d2a756dca7cdecb6d