Malicious PDF — malware analysis report

Static analysis result for SHA-256 01cf5a6dd708f81a…

MALICIOUS

PDF

88.3 KB Created: 2021-03-16 16:53:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17aaf644a2b91ec43f879ae375194c4d SHA-1: d92efcc28c332cee100b6d1267c5c2cd107ddb79 SHA-256: 01cf5a6dd708f81abb153610b889d60ff67a9ae345464eb4d71950ab7aa1358d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing lure designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/123?utm_term=bsc+bed+2019+paper
    • https://bajorenurelop.weebly.com/uploads/1/3/0/7/130739037/xusinexuwefiv.pdf
    • https://static.s123-cdn-static.com/uploads/4420745/normal_5ffc6513610bf.pdf
    • https://fipoxojumudex.weebly.com/uploads/1/3/4/6/134649093/duwivupox.pdf
    • https://ronupajowosoza.weebly.com/uploads/1/3/4/8/134871490/8020257.pdf
    • https://cdn-cms.f-static.net/uploads/4413469/normal_5fd12a1a83bf9.pdf
    • https://vopilejuwe.weebly.com/uploads/1/3/1/4/131407469/414d804.pdf
    • https://static.s123-cdn-static.com/uploads/4378834/normal_5fca83f98c7f3.pdf
    • https://lukijijuvuz.weebly.com/uploads/1/3/4/7/134742917/fedibowuti.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/7deade30-ce97-4235-9fee-9de70224e349/what_does_the_coffee_grim_offers_max_symbolize.pdf
    • https://uploads.strikinglycdn.com/files/9a0041b1-abb9-4885-b014-1ec9a4c4745d/fodamumor.pdf
    • https://uploads.strikinglycdn.com/files/0f12f5d5-d6ce-4971-b0b9-9bbe245858a0/83167746580.pdf
    • https://11ab4cf5-156d-4417-99e9-5039b2a7eb5f.filesusr.com/ugd/82d61e_69701433687a4be3b5b2960e46df4b7f.pdf?index=true
    • https://0491f86b-060d-4f4a-be23-b0d01488777f.filesusr.com/ugd/faa7ef_a40f19bc0e8d4b7f827da72c9c9843d4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/60dde891-945f-4817-a081-6df4027cca3d/dudemefatok.pdf
    • https://8c77b9b7-c39b-43d6-9406-6086bd2c0f93.filesusr.com/ugd/ee6770_698b7c8a808a4da0ba52df28341a4053.pdf?index=true
    • https://5e54824a-8208-41b0-8aeb-7c017e8cfb46.filesusr.com/ugd/f64db8_327c230e12d544518da54bd2aa4063f1.pdf?index=true
    • https://a29d81ee-e589-4368-99bd-4e0be04eb4c0.filesusr.com/ugd/a89e6e_65a5acb3d6c44dcfba9be1ab8e81c685.pdf?index=true
    • https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_11ad3d6814d9451e96391d5ffb376533.pdf?index=true
    • https://e61e9f85-32c5-4861-9fd4-b89109084c35.filesusr.com/ugd/2e4eb4_089e250a55794116a5df1ab83c5924bb.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef1e.bin
fab1682d0e7c60e1960b67fce5509a98d7ed91d437b89a5b1b774a88680d18ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF1E 5704 bytes
font_01_sfnt_off00010291.bin
b91f3c26f37c28538ed09035cbea6f9221827f1e30b50c452f08cc820bcc167b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10291 3720 bytes
font_02_sfnt_off00010df4.bin
107d400db83a9d5407f29fe036d9834430042c6bec274a5fb961f31c2f0492c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DF4 10916 bytes
font_03_sfnt_off00013381.bin
169595b484cfbff3a09317c13a4afd51a1caa17639df2e095e933aa52fdc7dbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13381 9292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.