Malicious PDF — malware analysis report

Static analysis result for SHA-256 0df2b8883e3dae82…

MALICIOUS

PDF

80.5 KB Created: 2021-05-04 02:58:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d595462269cf08536d3a44275ec92980 SHA-1: af90652fbf8053d675230c363dc179c5ea2a129b SHA-256: 0df2b8883e3dae82a82df68c99c2dfa427af70372ef909711903eab1e829f2cd
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting it functions as a link farm for phishing or malware distribution. The presence of embedded URLs further supports this, directing users to potentially harmful sites like https://mezovuduw.ru/strik?utm_term=spreader+setting+for+lime+application.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=spreader+setting+for+lime+application
    • https://cdn.sqhk.co/gisepavuv/ihaifnQ/tofanujesovunekewimesak.pdf
    • https://cdn.sqhk.co/merojuniv/fhjDggs/video_online_site.pdf
    • https://welogodeketi.weebly.com/uploads/1/3/5/3/135326703/1042848.pdf
    • https://lulofaki.weebly.com/uploads/1/3/1/4/131453598/37db84a73b6e6d.pdf
    • http://kitafoged.medianewsonline.com/explode_the_code_books_1-8.pdf
    • https://cdn.sqhk.co/pikevasoze/jHGjjjg/kuwozazolokufusiwu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2a1457bb-a4d2-449b-8914-d784a503a6da.filesusr.com/ugd/c0fca2_ff876a0559c748b29a1e62e42d15cc6a.pdf?index=true
    • https://69f7c7ec-f776-4f8b-90c4-e8126cd531e3.filesusr.com/ugd/772020_7ad12dc7258f4ad79d42ffc63400b426.pdf?index=true
    • https://uploads.strikinglycdn.com/files/eac234f8-7b53-4fbb-abbf-74a69483dc1f/pentair_superflo_manual.pdf
    • https://22e365c6-0853-42e1-82f8-83473bf9c0bf.filesusr.com/ugd/217d68_3e2e330983c14368961c9196be3b6a75.pdf?index=true
    • https://748e6e98-33e2-4bd1-95aa-01ea3505a154.filesusr.com/ugd/704f6c_acc24ea557b74581b05ffccb69647162.pdf?index=true
    • https://dbb1fad9-9c05-458f-9e32-bc0b7f65d7ec.filesusr.com/ugd/451461_4ce8f89ee5d84f1c8247dc32ba20977d.pdf?index=true
    • https://ce55c564-0e79-48ac-bd91-a034cff8554b.filesusr.com/ugd/bd1fc0_94ea8dae56af4c54a646c46dbcd115e7.pdf?index=true
    • https://4ef57e19-9a2e-4e6f-a444-f6b59f982a39.filesusr.com/ugd/4c1554_274bdef0dbf642239a7538903a20a1fa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/83aadf72-7a34-4e00-b0bc-965b417ae661/define_free_will.pdf
    • http://nejesezape.myartsonline.com/xexubimuw.pdf
    • https://uploads.strikinglycdn.com/files/0abb9c14-7994-4d08-9de3-cdd400e1ca7e/93658853086.pdf
    • https://uploads.strikinglycdn.com/files/c6808efd-6e79-4495-9946-11731bb6f149/foretituliro.pdf
    • https://uploads.strikinglycdn.com/files/c6a459d7-e167-4754-9e98-f0820049780c/23787511020.pdf
    • https://5984e891-aecd-43e6-866f-efdb297c9c35.filesusr.com/ugd/403565_5f2e33caa5a8407cbb3be9cdb41b6834.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb49.bin
c18da326483912e4c48f4caaf7fab16e5d22ae8de0699621ef16850a0bde6928		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB49 5580 bytes
font_01_sfnt_off00010e33.bin
553bcf4fefaa00833713ab8ee6a1a693acef5753e371753ed6ff77ee1de18e0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E33 11224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.