Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b885a4a420ca7d8…

MALICIOUS

PDF

85.1 KB Created: 2021-03-16 23:02:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 4c5cc8406fbc34ddcbae613dbd57aae9 SHA-1: de24ddc7d9a86a8ab5741a54692d7c484878c8ff SHA-256: 1b885a4a420ca7d894d960c8c80b34a4f247680f6c5602df4c55e590c62c78c9
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or SEO manipulation tactic. The embedded URLs and the document's apparent purpose of directing users to external sites align with phishing or malware distribution attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=silent+words+in+english+a+to+z+pdf PDF link annotation
    • https://cdn.sqhk.co/sutexasav/gjgeqde/centrale_sans_light_font_free.pdfIn PDF document text
    • https://cdn.sqhk.co/pinufizugal/0Heghhb/kabir_singh_bekhayali_song_ringtone.pdfIn PDF document text
    • https://cdn.sqhk.co/puwukuwos/gcxrBu9/36573855122.pdfIn PDF document text
    • https://cdn.sqhk.co/vetukalujir/ghy3sij/nuwafupazuturakiga.pdfIn PDF document text
    • https://cdn.sqhk.co/pilozarager/hizIjgw/character_creator_3_free_with_crack.pdfIn PDF document text
    • https://cdn.sqhk.co/jatizaru/Njjigjg/mass_car_bill_of_sale_template.pdfIn PDF document text
    • https://cdn.sqhk.co/birenejar/ncnFLhi/ponufimagelapa.pdfIn PDF document text
    • https://cdn.sqhk.co/dukosisevu/jdib4R1/anime_face_avatar_maker_apps.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/6e098252-1c00-4978-83f1-a756cd7137ca/meselanovatedal.pdfIn PDF document text
    • https://s3.amazonaws.com/jasadavebaga/information_architecture_web_template.pdfIn PDF document text
    • https://s3.amazonaws.com/sinadi/magic_cap_video.pdfIn PDF document text
    • https://e25b7b56-d8f7-44cb-9276-56428e53d1cc.filesusr.com/ugd/63f3e8_78666c31597f4cd0a00c817633b61b36.pdf?index=trueIn PDF document text
    • https://9e730ba1-499c-413e-9a09-8a81f8121270.filesusr.com/ugd/0a0016_0ed5a2b16e254beea92e5f3250a2be41.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bulolimepol/72826344791.pdfIn PDF document text
    • https://c3a7a64c-5591-430b-94d7-c2eadfdf3523.filesusr.com/ugd/966478_6bff90f2873340acaf92d1d78b9bc181.pdf?index=trueIn PDF document text
    • https://041aa876-b65b-432c-96c0-58c8b295a4e4.filesusr.com/ugd/90d19e_32b1529c38a24a2b8a2639276fb12d9e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/7ddf1e2d-d93a-49e5-94a6-83bc3191b3df/what_is_meant_by_psychoanalysis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01bd96fc-126e-4171-9f63-947721d74fd1/dibufonizasaworiwa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/02a446b5-92b8-466e-b323-bea54b57fa00/fifty_shades_of_grey_movie_plot.pdfIn PDF document text
    • https://54d25d35-1219-4e5f-97c3-905e72ea606f.filesusr.com/ugd/6d59ab_bea963e9d9ab4b63bba520e9593c3080.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/novipaliwid/gamecube_emulator_android_32_bit.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ffd9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFD9 5336 bytes
SHA-256: 9a1b7752b5458ae416af8a8880cec788647aff0e3a9ad4302285ea461fcdb05b
font_01_sfnt_off00011207.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11207 11624 bytes
SHA-256: 66875d53db315adbe0ff3a16be0654c6af00b7b51e047b63edad8ad03467e3a0
font_02_sfnt_off00013929.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13929 4324 bytes
SHA-256: 4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3