Malicious PDF — malware analysis report

Static analysis result for SHA-256 19114e0dffeeb671…

MALICIOUS

PDF

82.8 KB Created: 2021-03-15 18:10:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: 0bfff7164839482ad5b5bde5c5cc979c SHA-1: 01e8f3f128e032637c3651bd53f7115eca8b2325 SHA-256: 19114e0dffeeb671b78b326948861000146823f17a289c1add9cecd9815836aa
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm designed to redirect users to potentially harmful content. The document body, though malformed, suggests a lure related to a programming guide, which is likely a pretext to encourage clicks on the embedded malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=lego+mindstorms+ev3+programming+guide+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4422884/normal_5fe6aea176260.pdfIn PDF document text
    • https://cdn.sqhk.co/rotuzuwibi/loGhric/tour_guides_synonym.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4471706/normal_5fef12b789741.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418583/normal_6043e25f9c8fd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480590/normal_5fd17b7f8a5be.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424953/normal_60104bf7c5143.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372371/normal_602c98453bd61.pdfIn PDF document text
    • http://nekuwagibajese.getenjoyment.net/56427266203.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465545/normal_604d9e285a372.pdfIn PDF document text
    • http://bibuzikufaje.mygamesonline.org/99191653989.pdfIn PDF document text
    • https://cdn.sqhk.co/rorajakura/T4igheL/bejeweled_classic_online.pdfIn PDF document text
    • http://jovasetiveduza.scienceontheweb.net/celestina_resumen.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://ca3ec1ac-6ff7-4c8f-ae0f-86a30d86e335.filesusr.com/ugd/3615fb_74acb663b4fc4e2088746b8c7ed349d4.pdf?index=trueIn PDF document text
    • http://jitawidavez.atwebpages.com/30546248138.pdfIn PDF document text
    • https://71a0d42b-91d5-4e94-9338-ff69ca8a624b.filesusr.com/ugd/e5d5e5_1def7d2862044838babee7027d866c4f.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/5783f9b7-76fe-4cce-82f9-402f5d9d704e/19687554408.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3fcd80a0-dd2a-4bf4-ab08-c1d015420617/sentence_of_the_week_gallagher.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26d997e4-957d-43b7-b103-650f82242f7e/74879089953.pdfIn PDF document text
    • https://06e27459-8a58-4d01-a48e-f853eab966f6.filesusr.com/ugd/55f1a0_ef38fc2f284049d4a0c8c7c766083018.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/18a549b4-33ae-4ce5-839f-9220aedc33d8/15853074805.pdfIn PDF document text
    • http://xotaferuju.myartsonline.com/jual_samsung_jitterbug_touch_3.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d48868ee-22e3-4e41-91a9-829c1267f16b/9365397193.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f66d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF66D 5376 bytes
SHA-256: 338930794d79229615cc73b3bdf06c2e2f95cb27bbc1e024eb561e8cbee248e7
font_01_sfnt_off000108ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x108AB 11496 bytes
SHA-256: 424034bd2f4f8008f7a1977a7a76d91fbaae571ac8f03ea1179e90c52f704826
font_02_sfnt_off00012fca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12FCA 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2

Open this report in the interactive analyzer, or submit your own file for analysis.