Malicious PDF — malware analysis report

Static analysis result for SHA-256 052dfcaf606542e5…

MALICIOUS

PDF

85.9 KB Created: 2021-04-03 02:34:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e6aa708904e8723264a41557468d4a75 SHA-1: dee8add344577923adc01bfbd8a74f61f9ec4422 SHA-256: 052dfcaf606542e5b80e099385bb49cdc6d744eacf2af698d7ba06b4ff8c4849
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, suggesting it is part of a link farm or SEO spam campaign designed to drive traffic to potentially malicious websites. The embedded URLs and the overall structure point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=guitar+chord+chart+pdf+complete
    • https://dowikonusinewe.weebly.com/uploads/1/3/4/3/134374018/8128766.pdf
    • https://cdn-cms.f-static.net/uploads/4481154/normal_60196cffb6071.pdf
    • https://wotuvinuvokotar.weebly.com/uploads/1/3/5/3/135330473/d9ea54.pdf
    • https://cdn-cms.f-static.net/uploads/4370791/normal_5fe6628b53b74.pdf
    • https://cdn-cms.f-static.net/uploads/4449766/normal_6048ec3789bfe.pdf
    • https://static.s123-cdn-static.com/uploads/4369932/normal_5ff7198d8a017.pdf
    • https://lerelapukuvi.weebly.com/uploads/1/3/0/7/130740054/6437962.pdf
    • https://mawikimame.weebly.com/uploads/1/3/4/2/134235565/monunizidex_xuwolozatibid_xumubabogane.pdf
    • https://cdn-cms.f-static.net/uploads/4445550/normal_602b878844275.pdf
    • https://dapijapivabug.weebly.com/uploads/1/3/4/3/134338952/60ac29.pdf
    • http://pedufan.iblogger.org/74389896651.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6129906d-bc82-46a7-99f5-71793a58af3c.filesusr.com/ugd/d162e3_7f6ca1006fdc4b8e8cb734f94d23e712.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bf20b354-9ca0-46fc-8240-ab81fc12a4e4/6171247015.pdf
    • https://178c1879-e916-404b-9861-a2431bd0f83a.filesusr.com/ugd/1aace6_5159156b7d5b42b5aeb4c4a027c85eac.pdf?index=true
    • https://uploads.strikinglycdn.com/files/19cbae12-833b-41a4-be3b-3795c2ca3dc2/if_youre_the_smartest_person_in_the_room_quote_meaning.pdf
    • https://12c48f50-3553-44c7-a31c-19fc5df83d07.filesusr.com/ugd/7e0eb0_5acb5b4988484dc586bfdd4d2ec2cde6.pdf?index=true
    • https://e72deea9-3c4d-48de-8429-d2e8e2d5d9b3.filesusr.com/ugd/68b2df_81d01900034a418984c6f8df59635088.pdf?index=true
    • http://zejokubajibagu.epizy.com/kotusugujewazaxoj.pdf
    • https://uploads.strikinglycdn.com/files/c5173c43-5e4e-471b-b749-753e17d71170/6.0_powerstroke_manual_swap.pdf
    • https://cda84be5-0c54-4c05-8389-97bb004c798d.filesusr.com/ugd/fa9f00_c24279b056774426b7f6398f8ab752d7.pdf?index=true
    • http://mibexalaxesu.epizy.com/64019712544.pdf
    • https://71f68c9c-1037-483c-a0ca-f268b7ddd3c8.filesusr.com/ugd/87fdc7_56648aea6a4e4907994c71f93a684eaf.pdf?index=true
    • https://d4f1f58f-bd44-402a-a4b0-a3aa01e36dbf.filesusr.com/ugd/dffefa_da1c70bbb90b40e692c5aff75eb6d3eb.pdf?index=true
    • https://c504e2ef-f928-4e80-b5b1-fc05046f432e.filesusr.com/ugd/247f25_30931b7151714bd3b443b6bda7356363.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ad473f0f-01a9-4626-a57f-8731ecb20b64/57141172809.pdf
    • https://d4bcd744-2348-4fe3-9006-05b2fcbd3cbd.filesusr.com/ugd/704566_44bdfb4c47fd42e8b8a0ea1e4de114b2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d45cb767-aa9a-44e0-95d3-a1ad4de798e4/xifowovulisudo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011201.bin
e84fa0d16fe41e6a7529dc9315ba04525314b8171e28718575aef9ec3efe12c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11201 5248 bytes
font_01_sfnt_off000123b1.bin
a7e8659fa9aea6f5235e4243a422bd2367754f9ed6317314c94c057ddf5519ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123B1 11164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.