Malicious PDF — malware analysis report

Static analysis result for SHA-256 1201540311b18c49…

MALICIOUS

PDF

74.4 KB Created: 2021-03-29 04:45:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d79e5c455e1b345cab1a4884fd0757cf SHA-1: e04694149fc8a0f06db3ef0526a8451a016e8828 SHA-256: 1201540311b18c49af9067d52cefefd4c4414ab3548e7c8ac84c9bb19bfaa71b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious content. It contains a large number of embedded external links, with specific attention drawn to a link farm heuristic. The primary purpose appears to be directing users to potentially malicious or spam-related websites, as evidenced by the URLs and the PDF_SEO_LINK_FARM heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=wwe+supercard+apk+mod+unlimited+credits
    • http://kogemotuju.getenjoyment.net/magick_liber_aba_aleister_crowley.pdf
    • http://musc-media.xyz/international_business_machines_corp_stock_pricepcdzv.pdf
    • http://luxuwum.mypressonline.com/star_wars_lost_stars_characters.pdf
    • https://cdn-cms.f-static.net/uploads/4408866/normal_601dd83e100be.pdf
    • https://cdn-cms.f-static.net/uploads/4476582/normal_5fd981ca2d633.pdf
    • http://meetplafond.xyz/46853167286oxyyt.pdf
    • http://lnstagramoriginal.com/foamex_sheet_cut_to_sized2dq0.pdf
    • https://cdn-cms.f-static.net/uploads/4369141/normal_6022d06f51077.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/23933da8-b764-4beb-83dc-9660320febb7/39851608163.pdf
    • https://uploads.strikinglycdn.com/files/5d00e88a-1ed2-431f-8616-3504f38707ed/how_to_change_hydraulic_fluid_in_log_splitter.pdf
    • https://ac4cd5cf-e861-4b1b-a585-e47049f737a6.filesusr.com/ugd/843280_ee71ce61548a48d796ea1bb32bd361e3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/eae4b278-8b13-4799-9c3c-f1c25ef78453/57785199030.pdf
    • https://uploads.strikinglycdn.com/files/a0587ec7-5458-42e5-995b-361c353e2be0/netgear_genie_not_connecting_to_internet.pdf
    • https://4eb3a9b5-ca6a-4b2a-896e-878abc754f3b.filesusr.com/ugd/f1ab86_2ff686fbaf654f19b0b9a45e9b0020c4.pdf?index=true
    • https://cd8fad78-6a19-43c6-878c-830d169ee42d.filesusr.com/ugd/ff0d91_eaa6f4fbc8d243729e2e82b3ae0eaea5.pdf?index=true
    • https://eff7b67d-fef5-45b7-bcd6-ffb1b71d3a14.filesusr.com/ugd/b4c9df_685ac83ee96943179ace18787530b308.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5da.bin
e76800ac3d70622346e4d2b7e9762747116d8b071cb9dd1a6071aaefc9bb9350		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5DA 5388 bytes
font_01_sfnt_off0000f834.bin
977f5fb29643fc5dd13d0392d97d5269b99cdcba9e508d4e40c9a8e24e267b0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF834 10520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.