Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ce8bc5536aea680…

MALICIOUS

PDF

95.8 KB Created: 2021-03-27 13:53:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aae996088d85b9b3fbaba3c6ec185ed0 SHA-1: 61d8bc65467d83f7ed9a41472eed2d4bff14ca8e SHA-256: 1ce8bc5536aea6806f81e6495d543d38b33e20478f2e34e4e8f801c8f1815a5f
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains numerous external links, with a significant number pointing to PDF files hosted on platforms like Weebly, suggesting a link farm or redirection mechanism. The heuristic 'PDF_SEO_LINK_FARM' and the presence of a URL related to 'linksys extender' in the document body indicate a lure to external content. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=why+is+my+linksys+extender+orange
    • https://xawupaxov.weebly.com/uploads/1/3/4/6/134699297/boreforafewas-sebekonos.pdf
    • https://cdn-cms.f-static.net/uploads/4421477/normal_605bcb7b66895.pdf
    • https://static.s123-cdn-static.com/uploads/4459185/normal_6000403d3dcbb.pdf
    • https://vomizovuzib.weebly.com/uploads/1/3/1/6/131637161/2594577.pdf
    • http://copyrightnotice-ig.com/5e_versatile_monk_weaponr7wka.pdf
    • https://bawekiseboluxis.weebly.com/uploads/1/3/5/3/135327810/maluvot.pdf
    • https://kapilike.weebly.com/uploads/1/3/4/6/134686456/kutuzokopufipo-bufezarodurube-sudatug-jibebogajal.pdf
    • https://wefizaxire.weebly.com/uploads/1/3/0/9/130969527/17693d90452.pdf
    • https://cdn-cms.f-static.net/uploads/4378628/normal_602923211c826.pdf
    • https://komiwafaka.weebly.com/uploads/1/3/2/7/132712661/vepisomexogosero.pdf
    • http://walletelectrum.buzz/anchor_bolt_calculation_xls7xrwk.pdf
    • https://xumomeroruv.weebly.com/uploads/1/3/4/2/134266579/db0042b25760.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/447bf269-220c-4f56-a0c9-f54346f41c4f/vokefi.pdf
    • https://011f98f8-b45f-4578-a2fd-466b530f7845.filesusr.com/ugd/74e905_a0cd1d37f13f4c5d823dd7e50a455030.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d86e94ad-f03d-4e6e-bfc8-34ce994b449a/judith_butler_performative_acts_and_gender_constitution_summary.pdf
    • https://3557a179-a1ee-4801-a209-85ad6f504536.filesusr.com/ugd/9c409a_0aa4f0a536a645d78884fc0cf36f0525.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001366e.bin
cd051d19be7e9c6d19f16269cf5c582d272be6528888c98bcc901ec022665058		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1366E 5484 bytes
font_01_sfnt_off000148ff.bin
e2410b5388f12ad35af123d618075ed78ce0df4e46a9f3a59017fdb355e14c69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x148FF 11900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.