Malicious PDF — malware analysis report

Static analysis result for SHA-256 03947db9ea8b4e99…

MALICIOUS

PDF

78.2 KB Created: 2021-03-24 18:33:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5388a3dd16d431f89f4f5b9eec228692 SHA-1: a0fb5609b50330137dc53fe52ca93d1f17c85ff7 SHA-256: 03947db9ea8b4e996569bec4421480033187bb6ab513eed01e613910f4eb5e35
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file identified as malicious by ClamAV and an ML classifier. It contains a large number of external links, suggesting a link farm or redirection tactic. The document body, though heavily obfuscated, contains keywords related to software licensing, likely a lure. While no scripts were explicitly extracted, the presence of numerous external URLs and the PDF structure itself are indicative of malicious intent, potentially for SEO spam or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=ez+check+printing+software+license+key+free
    • http://bunakevogipo.iblogger.org/halloween_algebra_worksheets_free.pdf
    • http://budofibo.mygamesonline.org/isometric_drawing_autocad.pdf
    • http://sirosin.iblogger.org/pumabinusujugefomanidakew.pdf
    • http://mofirixubutibi.getenjoyment.net/movofubidabunu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://laxolivavaru.epizy.com/tecnologia_de_informao_na_logistica.pdf
    • http://galusuvojames.epizy.com/pipaligokidomedabi.pdf
    • http://juwukopegonamu.onlinewebshop.net/autodwg_to_dwg_converter_pro_2020_v3._9._1.pdf
    • http://rawigukegopafot.onlinewebshop.net/41095564341.pdf
    • https://uploads.strikinglycdn.com/files/8aa01315-5449-448d-92dc-07e709738999/gaggia_titanium_hot_water_ventilate.pdf
    • http://dozuxix.myartsonline.com/administrative_and_election_law_reviewer.pdf
    • https://uploads.strikinglycdn.com/files/f4d59748-ecf2-4f8b-a38a-6d9deebe7999/kenmore_dishwasher_repair_videos.pdf
    • https://s3.amazonaws.com/zasepo/keroxuloze.pdf
    • https://uploads.strikinglycdn.com/files/a133d5b4-e843-410f-a253-43b7295d7106/kenmore_elite_oasis_washer_troubleshooting.pdf
    • https://e8e87dc5-637d-47ba-9de6-e7d98d123d78.filesusr.com/ugd/a69a03_55af32708ede40559e1c845a0bad40c3.pdf?index=true
    • https://3ea853e4-7f2b-4fb0-9229-b04907a1e321.filesusr.com/ugd/d94095_3a405c1895084c3eb1dcb9174e665997.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4d183129-82d4-424a-bd01-c910ad9676b7/vebesage.pdf
    • https://uploads.strikinglycdn.com/files/9a10a1fe-c8f0-41ad-8aab-21067a420eb6/what_to_eat_after_alkaline_diet.pdf
    • https://44eeb0f0-4dc9-4d8b-b3fd-cc7ace98e90e.filesusr.com/ugd/a083a1_b386d13ff3c24265a21a070d6ce71102.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1dcc0363-f97d-4477-ac17-ab22e9a8bbfb/zikidixemafed.pdf
    • https://081e7fb2-604d-424b-9b75-a58d54a71a44.filesusr.com/ugd/abd6ea_f7cdeb36c9f948c3b848672a8dcf8807.pdf?index=true
    • https://s3.amazonaws.com/zodererezuzuxi/precalculus_enhanced_with_graphing_utilities_7th_edition_online.pdf
    • http://gagivipupine.epizy.com/rodofawuresufagad.pdf
    • https://s3.amazonaws.com/kiguteperilodu/which_is_an_example_of_a_smart_objective_weegy.pdf
    • https://f2fffe36-c7b4-4b88-9608-518dc6c14750.filesusr.com/ugd/950b2a_ecbfd0f7443141829069c3f489c46ed8.pdf?index=true
    • https://s3.amazonaws.com/xurixado/yamaha_dgx-660b_y.pdf
    • https://uploads.strikinglycdn.com/files/791e3039-d421-48f9-ad58-241c0a6bb351/59540712733.pdf
    • https://uploads.strikinglycdn.com/files/1f5f3049-69af-40c3-8024-4542e11fa7d0/pivuxiferarifesujemipag.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3f2.bin
34402be0052a8f53032322169ce7e2621b705a19ba50246627da18fe89b9b5b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3F2 5540 bytes
font_01_sfnt_off000106f1.bin
adaff0f6a8b5d86ecc9b88c228fa9fb47325ebbc71100955a8027dc885f2e74c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106F1 10484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.