Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ba35699efa3a754…

MALICIOUS

PDF

102.6 KB Created: 2021-05-20 13:52:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d0c571763802f6f0ed8ed94296f10cc3 SHA-1: d0fc735af3068d9a552ee666621cbf5fbf65c4f3 SHA-256: 1ba35699efa3a754519c9691a1c5b5594e297300ebda4ae514793d4845e0736d
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many of which point to Weebly-hosted PDFs, suggesting a link farm or SEO spamming operation. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. The presence of embedded URLs and the 'PDF_SEO_LINK_FARM' heuristic confirm the attack pattern of directing users to external, potentially malicious, content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=poetics+by+aristotle+in+urdu+pdf
    • https://zugufanebuloko.weebly.com/uploads/1/3/4/0/134016669/kezev.pdf
    • https://vakitisize.weebly.com/uploads/1/3/4/0/134017930/f4f2f8b05d87f0.pdf
    • https://panulozeti.weebly.com/uploads/1/3/5/3/135351273/kebarudo-belofena-zirafozatogab-mipisoloma.pdf
    • https://vepimogarib.weebly.com/uploads/1/3/4/8/134856589/9739522.pdf
    • https://kixorixoti.weebly.com/uploads/1/3/0/7/130740187/4846864.pdf
    • https://sewizafisebe.weebly.com/uploads/1/3/1/4/131437566/nijawumeri.pdf
    • https://tirotirow.weebly.com/uploads/1/3/1/3/131380420/kuzobil.pdf
    • https://vexefanakaxaki.weebly.com/uploads/1/3/4/8/134871487/bobarusodadurusuni.pdf
    • https://cdn-cms.f-static.net/uploads/4372373/normal_600cfbba2a50e.pdf
    • https://ruregeriwak.weebly.com/uploads/1/3/4/6/134666462/e4366.pdf
    • https://sazezikamujut.weebly.com/uploads/1/3/1/4/131438312/jifufadupokuwaj-likuron-vebepo.pdf
    • https://buranujepexu.weebly.com/uploads/1/3/4/3/134339299/riremirutupazu.pdf
    • https://zikagedatudupoz.weebly.com/uploads/1/3/4/2/134266226/8993457.pdf
    • https://zurowesijeja.weebly.com/uploads/1/3/4/6/134630916/2865997.pdf
    • https://cdn-cms.f-static.net/uploads/4465003/normal_60223ca10e8c6.pdf
    • https://cdn-cms.f-static.net/uploads/4367960/normal_601954851fffa.pdf
    • https://lapefobok.weebly.com/uploads/1/3/4/6/134663543/58efd5f256.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/87955d7a-3e16-4dd0-b9dd-687b785d96ef/65396349556.pdf
    • https://uploads.strikinglycdn.com/files/0d88d2f9-ec4e-4a79-b9c2-23f15f9a46c5/wedamokovugumipudo.pdf
    • https://uploads.strikinglycdn.com/files/b48ba5ac-e3e1-4ffa-a5fe-49c7f6c9247b/jofasiro.pdf
    • https://uploads.strikinglycdn.com/files/0c648f8b-456c-4f5d-8940-d1a21d3bef6c/explain_effectual_calling.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001219c.bin
ca6a41b19292614c7972e47995b763b7431d275caa7776abd8a785bbfc53dae4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1219C 5392 bytes
font_01_sfnt_off00013403.bin
2589c62f748167b7899ce7c99a05500879a1fe092c14b49e892e0796e2c7f70e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13403 11652 bytes
font_02_sfnt_off00015b9d.bin
ec67ad1f04a8d114685d5cb85c2292310acf81628c630ee27922905fff0798a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B9D 21004 bytes
font_03_sfnt_off00017e9c.bin
da1ce15a3dcb87366ef554f18fe7e19697ec1e1f21160e1621377c0aa991c25c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17E9C 2916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.