Malicious PDF — malware analysis report

Static analysis result for SHA-256 19da153e7a227c25…

MALICIOUS

PDF

84.0 KB Created: 2021-03-07 03:07:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8847dbf1f706286fba5425559e33776 SHA-1: 7d2547c95c5cb17a869d024dc5b8eaac28f15dcb SHA-256: 19da153e7a227c2513434728bc4e9d8d2fb810f31a2e2cf819cb649d5c5b52e1
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a heuristic firing for a link farm with 30 external PDF links, suggesting an attempt to manipulate search engine results or distribute further malicious content. The presence of a 'download button' lure and an embedded URL further supports a malicious intent. The ML classifier strongly flagged this PDF as malicious, indicating a high probability of malicious functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=jos+a+bank+shirt+fit+guide
    • https://tunawirivam.weebly.com/uploads/1/3/1/4/131437064/gilijaxakali.pdf
    • https://dipakexamima.weebly.com/uploads/1/3/1/0/131069759/didorasulib-jedajilisobajav-bikonidoronud.pdf
    • http://remont-kholodilnikov.website/vavinevofozcve7z.pdf
    • https://nimaxosonoj.weebly.com/uploads/1/3/4/8/134897368/pupujex-venejixujireko-xoveru-sumuxi.pdf
    • https://wojuguzibuliru.weebly.com/uploads/1/3/4/8/134896427/sedukaj.pdf
    • https://pepotojil.weebly.com/uploads/1/3/4/9/134900045/bc9eb.pdf
    • https://xepolilibud.weebly.com/uploads/1/3/4/5/134591261/b671bbc88f77.pdf
    • http://erogan-encolumbia.site/kemesatazanize6eaow.pdf
    • http://idealicait.website/jamb_biology_syllabusjr4k0.pdf
    • http://shoppingyxplus.xyz/physical_development_activities_for_18-24_monthsmuu37.pdf
    • https://vudolizozirotor.weebly.com/uploads/1/3/2/8/132815306/741666.pdf
    • https://jetebudatupa.weebly.com/uploads/1/3/4/7/134748577/6186462.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://43a2ba88-5de9-465b-b95f-6a4d82f2d06e.filesusr.com/ugd/dcbeda_04feedc527cd4d8195032d43ddba30c7.pdf?index=true
    • https://b40f07b9-a98f-42b6-a6e2-5dc2c82ebb0e.filesusr.com/ugd/e949ea_b3b9c60811134a3f8dac20f1234c7777.pdf?index=true
    • https://e60c805d-b9e1-47fc-b045-983511e9ac1f.filesusr.com/ugd/116bb2_f548ab4a486b4fe28d7d390bb0c255f1.pdf?index=true
    • https://e50eee24-2d95-422d-8083-6f618d95927b.filesusr.com/ugd/594ae5_a099a84484fc48dd9550ed617f3eb6fb.pdf?index=true
    • https://c3a7a64c-5591-430b-94d7-c2eadfdf3523.filesusr.com/ugd/966478_75f2457c27f44ea0ae67fd14462a95bd.pdf?index=true
    • https://6ba8113a-99dc-4618-97bf-d7180f10ff72.filesusr.com/ugd/b6edda_ec5ed2cb4d394d6cbd2c6c9883891181.pdf?index=true
    • https://70010cfe-69b1-4fe9-a336-bdfe2418dc1e.filesusr.com/ugd/f1d680_47db6e386d54470daa14a44e2bb56c56.pdf?index=true
    • https://8a6b9437-e7f2-49d7-8c24-351b272aa67a.filesusr.com/ugd/b18e4d_8c1a0cf1d0f64f26ac45b37d8a0ea4aa.pdf?index=true
    • https://f7f2eb1f-4ce6-40bf-b337-6bcc2c9c1a95.filesusr.com/ugd/dc6899_4e71e1f361ca4837a1c11e9028425067.pdf?index=true
    • https://d52aed46-be45-4f9b-8106-cf6fc7ee66c0.filesusr.com/ugd/b148e5_45cd702932f44a4a9716fb863dac7a37.pdf?index=true
    • https://c03439ef-6557-4199-865e-586791a52b6c.filesusr.com/ugd/6bb4a2_acad3ef7aac6401b8b8689f7a0eaf931.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f67b.bin
fc330bff5d0e06a2144bc04eb94943dac05608cc8b909509bda83307b3d0de37		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF67B 5328 bytes
font_01_sfnt_off00010893.bin
2f500694660983b2db0bf7dfa3cb510931bf15f4764f2df7bc82d363d3c4e77d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10893 10640 bytes
font_02_sfnt_off00012d3b.bin
9b6ad5722d12b30ebaf898f562fd4d85af749794f3aca0f1f676e444c262175b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D3B 16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.