Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c8ad801bbc08974…

MALICIOUS

PDF

95.0 KB Created: 2021-03-15 01:48:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 921d83cbebaeebcc633a7be5186975c6 SHA-1: 72d2d197882e31e3de48585f35f0ad6600c0747e SHA-256: 0c8ad801bbc089749c3e9af9f160ca60c229edeae410945be95132b4f5f2efcd
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to Weebly and other hosting services, suggesting a link farm or SEO manipulation tactic. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9921

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=synthesis+of+magnesium+oxide+lab+answers
    • https://roturusuwanowus.weebly.com/uploads/1/3/4/3/134363773/rumek.pdf
    • https://cdn.sqhk.co/tosobulig/c2qhakW/fun_word_games_to_play_with_friends_indoors.pdf
    • https://radisowe.weebly.com/uploads/1/3/4/3/134366404/b5dbb8e10cf15.pdf
    • https://static.s123-cdn-static.com/uploads/4506063/normal_5ffd63c603300.pdf
    • https://cdn.sqhk.co/fiseguvugele/cWuPjgB/81551741519.pdf
    • https://kidivine.weebly.com/uploads/1/3/4/5/134576756/d1e629b4cadf4.pdf
    • https://lobogisotu.weebly.com/uploads/1/3/4/8/134870795/143bac.pdf
    • https://cdn.sqhk.co/xurokagozagu/9PehbSx/26123085899.pdf
    • https://xukutejupu.weebly.com/uploads/1/3/4/4/134487517/3568cffa3aea.pdf
    • https://bejixetixozivi.weebly.com/uploads/1/3/4/4/134499198/f9c11566cd.pdf
    • https://static.s123-cdn-static.com/uploads/4489588/normal_5febf68314501.pdf
    • https://cdn.sqhk.co/sejarepezibo/VjdqBig/football_games_today_live.pdf
    • https://cdn.sqhk.co/vasegodesazu/csijiMO/hockey_phil_kessel_nickname.pdf
    • https://static.s123-cdn-static.com/uploads/4388820/normal_5fdcd8af29ed2.pdf
    • https://cdn-cms.f-static.net/uploads/4489607/normal_6047a1acd9d4e.pdf
    • https://cdn.sqhk.co/wopidaxiwuk/MenTjbY/lagasigerev.pdf
    • https://cdn-cms.f-static.net/uploads/4466376/normal_5fd93cb3c953d.pdf
    • https://cdn.sqhk.co/sakixowofeg/1hgjhdv/sosapefosapowusebenibikiw.pdf
    • https://xejukogafowoje.weebly.com/uploads/1/3/2/6/132682905/9081602.pdf
    • https://cdn.sqhk.co/rolileduvof/oijiFja/sesetiwelutejituvozu.pdf
    • https://cdn.sqhk.co/jipodipotaj/gKnhjjg/cut_up_3d_print.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://1c896d37-30d1-4b4d-9537-98f963aae812.filesusr.com/ugd/865d50_7585473441b64186bcae2c685ad36dfc.pdf?index=true
    • https://3745348a-78a0-42d7-8ff4-af2b45bf5faf.filesusr.com/ugd/02631b_865f1fc9d1eb44c68a569f98dbca71d8.pdf?index=true
    • https://0eaabcdb-938a-45a6-85a3-1a7d796bbcdd.filesusr.com/ugd/8d6d25_f9dfee42b83f4d2bb5ee99d6ea9e9242.pdf?index=true
    • https://711920be-b761-4f0e-a604-762b26663b16.filesusr.com/ugd/ffcbea_8fc9b83e0790434e8ba59ee9bbd6afba.pdf?index=true
    • https://083189c9-8220-4687-a375-57be19a37228.filesusr.com/ugd/909b15_38f81c7372944332bb84d0fbea9e2f53.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001116a.bin
608de3a122f867c2cb628760782d0be1b572838c5b6bbbf9247de66466d4e0f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1116A 5708 bytes
font_01_sfnt_off000124bd.bin
ffa6dfab102d05100d3798b51396a74adc1ba021569439c59797a583d3d28eb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x124BD 11088 bytes
font_02_sfnt_off00014abc.bin
3bb08857b08983a257d5a2052628e18542fd51c8d29f5bbef87ea8b8ace00841		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14ABC 16096 bytes
font_03_sfnt_off00015f85.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15F85 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.