Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ac9daa8c0496630…

MALICIOUS

PDF

85.6 KB Created: 2021-03-20 11:29:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dfb098dc831c05c7bfbeb20cc6e2e822 SHA-1: 7b4473e30673dc8125fd9822002c12375cb24a9b SHA-256: 1ac9daa8c049663085bf20909288fe5bed712c6b2cf22124e8179e0f00d63280
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The heuristic PDF_SEO_LINK_FARM specifically flags this behavior, indicating a potential link farm. The embedded URL and the document's metadata suggest it is masquerading as a player's guide to attract clicks. No scripts were extracted, but the presence of multiple external links points towards a phishing or malicious redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=harvest+moon+64+player%2527s+guide
    • https://dikasawo.weebly.com/uploads/1/3/5/3/135349802/venazumezup-bupizotipaxar.pdf
    • https://mafekesajivirik.weebly.com/uploads/1/3/4/3/134381466/dcc8d551bf256.pdf
    • https://cdn.sqhk.co/xeposetuge/hEPlih2/narrator_s_voice_latest_mod_apk.pdf
    • https://cdn.sqhk.co/sezelijimofi/jijfgVs/initial_d_drift_stage_game.pdf
    • https://static.s123-cdn-static.com/uploads/4496812/normal_5fc825eb7779e.pdf
    • https://zonujonuwug.weebly.com/uploads/1/3/4/3/134309714/vomokadaxuzora_matexuwikafidu_fomigoxagiv.pdf
    • https://cdn-cms.f-static.net/uploads/4481552/normal_6036167a02abb.pdf
    • https://cdn.sqhk.co/gotuxixovumu/jj61jez/101_okey_internetsiz_indir_gezginler.pdf
    • https://cdn.sqhk.co/fidumugovoz/jibgia0/35529685972.pdf
    • https://static.s123-cdn-static.com/uploads/4476445/normal_6002c2b0e0689.pdf
    • https://cdn.sqhk.co/xugavizira/ifgBVfR/how_to_say_basketball_hoop_in_spanish.pdf
    • https://rijopadanag.weebly.com/uploads/1/3/1/0/131070137/9666977.pdf
    • https://cdn.sqhk.co/tuzojivemepe/hgVWfib/guideone_specialty_mutual_insurance_company.pdf
    • https://cdn.sqhk.co/lanamixese/djbigji/1524438476.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://2e21b658-2967-4279-8f18-a03590b678a5.filesusr.com/ugd/f5e1b2_0c124d42c2eb4067aff7b5071d7f2c5f.pdf?index=true
    • https://0f7a2101-273c-4f7f-b1fd-079d1ad923c1.filesusr.com/ugd/a7ea6f_f7c1d394ca3044a5aa8cf1ee49d06173.pdf?index=true
    • https://8607b5f8-c2b2-49b7-a314-b17bd4efff40.filesusr.com/ugd/d99252_5f7e465cfdf745ee96f9a19641e4dde5.pdf?index=true
    • https://2e9d2e4a-15d5-4529-8b29-235aceea4e08.filesusr.com/ugd/cac96f_2bb028b67af749a48f1b04b51fe23f67.pdf?index=true
    • https://40785fcd-1e5e-4316-9306-5db1d5795eae.filesusr.com/ugd/2f07a1_a2b0d9689cf145c0915bfeb62017b6f7.pdf?index=true
    • https://88bec3ce-9cdd-4818-a95b-bcf8ac49d1e7.filesusr.com/ugd/72df48_44ea0cee6b2d428ebd4e761ffc917ab1.pdf?index=true
    • https://46c0acaa-de7d-4f46-84f0-c2cf1d8ff7d9.filesusr.com/ugd/ac1638_92cdfbd9fb124322bb8500d3479b2619.pdf?index=true
    • https://734e8db3-b9db-457c-abaa-08c06218e7ae.filesusr.com/ugd/f6bb82_b3ab11b8658742c1a7ddf7619c274670.pdf?index=true
    • https://2a1457bb-a4d2-449b-8914-d784a503a6da.filesusr.com/ugd/c0fca2_fdc5d493538541f393b5be1d85fbd1f2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f19c.bin
67f1f029d68fe1bd3af1698075a291aee79633e556d4d6a9e9989657a3e12b2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF19C 4232 bytes
font_01_sfnt_off00010075.bin
399caf9635827e471df5832a595c69d1cfa1e8946e2ab1da22c03851cc2e9271		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10075 5560 bytes
font_02_sfnt_off00011359.bin
c513c3b3a4b2065fc71be9d3f1d8365e628b4ba7beb3967a4b499036b2e6e862		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11359 11552 bytes
font_03_sfnt_off00013a2f.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A2F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.