Malicious PDF — malware analysis report

Static analysis result for SHA-256 1404fa37671cdd14…

MALICIOUS

PDF

83.2 KB Created: 2021-03-16 18:55:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a90d80c70d060b17f03ffaa556ebc20d SHA-1: d6ae3bcf2fec8a327d5d793d94be9ecb7c27da54 SHA-256: 1404fa37671cdd14063effd35adb9c5b6e0a46be3af7b7fedfbc2dfc3db0ddef
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic specifically identifying a 'PDF_SEO_LINK_FARM' indicating a large number of outbound links. The document body, though heavily obfuscated, suggests a lure related to 'business law book pdf'. The presence of multiple unknown reputation URLs, including one directly related to the document's apparent theme, strongly suggests a phishing or redirection attempt. While no scripts were explicitly extracted, the PDF structure and link farm heuristic point towards malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=business+law+book+pdf+for+b.+com
    • http://newsportstechnology.ru/the_alienist_season_1_episode_synopsisoff7j.pdf
    • https://jozinuzo.weebly.com/uploads/1/3/2/7/132712000/0f0ecb7a859e.pdf
    • http://kersita.fun/mozetonigisararulageddru7.pdf
    • http://kprovk.xyz/nivobapuxasetlsqi.pdf
    • https://gavuwili.weebly.com/uploads/1/3/1/0/131070236/xenaturexelomewo.pdf
    • http://balifruit.com/comptia_cysa_study_guide_exam_cs0-001a017y.pdf
    • http://mazers.fun/que_es_la_composicion_de_dos_funcionesyygni.pdf
    • https://cdn-cms.f-static.net/uploads/4425217/normal_60348c792a3ff.pdf
    • https://xevefoworux.weebly.com/uploads/1/3/1/3/131380592/wifanazumenod.pdf
    • https://cdn-cms.f-static.net/uploads/4369331/normal_60103f54b964e.pdf
    • https://cdn-cms.f-static.net/uploads/4386618/normal_601de9b620156.pdf
    • http://pestore.pro/kubenukagaminofa3kiol.pdf
    • https://rosolivemimej.weebly.com/uploads/1/3/1/3/131382018/5981660.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ac685e6e-6442-44c0-91a1-b3a367e79ef2.filesusr.com/ugd/ce77c6_2a303e314dbb4b058bb759450a60be9c.pdf?index=true
    • https://c01188fd-d8af-4b86-846b-090f7ecd58d8.filesusr.com/ugd/9058e5_4206d1a05f794ed4b896c91960346c45.pdf?index=true
    • https://b962d5b8-8819-42e3-9ba3-d95e8366760e.filesusr.com/ugd/f51585_c2084be92cb74a5eb76d2633829c1470.pdf?index=true
    • https://uploads.strikinglycdn.com/files/36d65ce4-d20c-4cbb-a8f0-24f1fade7936/7646892783.pdf
    • https://uploads.strikinglycdn.com/files/64c1c272-2719-433c-9664-9c7e3aa468dc/39270013696.pdf
    • https://uploads.strikinglycdn.com/files/b2614d62-c8a4-4734-ad28-6da794dad796/what_is_qms_subwoofer.pdf
    • https://d67926d6-99fe-48a4-938f-95006fdf2de6.filesusr.com/ugd/21d82e_335203eaa07541e88950eeb78858bc74.pdf?index=true
    • https://e108c0fa-8e70-4110-aab7-e0d30777705f.filesusr.com/ugd/d9966b_87a8ebfe64924fa9b724f5651cd068c0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/af20e773-59f8-49ec-a684-ad244f3eab11/50385940309.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f192.bin
f6d8f0c111dd8b7acea4675c0ab710aee574dfbde482b739aef85f37a17f2c37		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF192 6832 bytes
font_01_sfnt_off000102e0.bin
b458373d036ebe101164aac9d1b57af7cb0b31d78d67a256735f436138a26181		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102E0 5676 bytes
font_02_sfnt_off00011632.bin
f9a7d7ac4ae473b973d21c04687cde1081a9740a663ac0f2b91628fb9fc99f8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11632 11520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.