Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bf980bf3cf5df44…

MALICIOUS

PDF

73.7 KB Created: 2021-03-16 00:29:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82ad251c40ef913db5d461461eed22a2 SHA-1: 52168ddefc66b95c1a7d3f63396ae17bd7f81b93 SHA-256: 0bf980bf3cf5df448cb3f870c034ec2ceb9640cbeb6500fe28497aff58deef35
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which are designed to mimic search results for popular books, a common tactic for SEO link farms. The primary URL, 'https://resalured.ru/wix?keyword=the+art+of+social+media+guy+kawasaki+pdf', suggests a lure to a website that likely hosts malicious content or phishing pages. ClamAV and ML classifiers also flagged this PDF as malicious, indicating a high probability of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=the+art+of+social+media+guy+kawasaki+pdf
    • https://leditolovon.weebly.com/uploads/1/3/2/6/132682688/vugopiw.pdf
    • http://gbarb.me/warren_buffett_gold_quote0njsm.pdf
    • https://wegefaraza.weebly.com/uploads/1/3/4/7/134703567/68bc8b3f9a5075.pdf
    • http://xikimifo.66ghz.com/reguzasemefetunifemiko.pdf
    • http://lnstagramverifiedbadgeshelpcenters.net/esv_reference_bible_hardcoverslvca.pdf
    • http://christinaanddavid2019.com/the_forgotten_way_meditationsube7l.pdf
    • https://jokozoxusatolof.weebly.com/uploads/1/3/1/0/131070378/wewodasakipowe.pdf
    • http://pop-marketplace.ru/the_secret_of_life_book_quotesm82tx.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kojexeruxub.epizy.com/koboxigidazomema.pdf
    • http://mogaros.rf.gd/can_t_hurt_me_portugues.pdf
    • https://b8436764-02b3-4471-8711-1e8fed235cf0.filesusr.com/ugd/3b3fbb_86b9e2d98f9147f2ab20af51e98f6558.pdf?index=true
    • http://wunizazug.rf.gd/siwuxumoxirizutolufu.pdf
    • https://uploads.strikinglycdn.com/files/a4b129c4-9a18-435e-836b-282e71880bd8/star_wars_aftermath_free_download.pdf
    • http://fufibilola.epizy.com/28955274760.pdf
    • https://uploads.strikinglycdn.com/files/99c814b1-05d6-46d1-a119-7fe1d1e4abdb/new_york_dmv_learners_permit_book.pdf
    • https://e114ad41-1367-46fe-a5fd-427bf640f69d.filesusr.com/ugd/a63c55_d2d985719a3d44ba8025906cc401cb41.pdf?index=true
    • https://52a72965-a6d2-471e-b66a-59a59a4d663b.filesusr.com/ugd/e643da_579c1a33177d4ec19124dcac08a0cbb9.pdf?index=true
    • http://gabimubul.epizy.com/xarojazom.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e114.bin
82892e0f09611f25d7299677c6deb25063c592b19d1c0d24b2704c542ca3b80c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE114 5776 bytes
font_01_sfnt_off0000f4ac.bin
ca81362086a2dbb28e097a28212f8039fa8c95a89726ae408103b8fa2c26efe3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4AC 10700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.