Malicious PDF — malware analysis report

Static analysis result for SHA-256 1cffe320f2804ea3…

MALICIOUS

PDF

79.2 KB Created: 2021-04-15 14:42:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b61d19323debdfda5ad8f3853cb95107 SHA-1: cf63e11956924319e35ef075c529af00868722a5 SHA-256: 1cffe320f2804ea35172590eac38f47490538b7c9053d971c1e2d5b9da8d85e7
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains a large number of embedded URLs, many of which point to disposable hosting and appear to be part of a link farm, a common tactic for phishing or distributing further malware. The PDF structure itself is also flagged for containing duplicate objects and being a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=theory+uk+test+book
    • https://zasefupaboz.weebly.com/uploads/1/3/2/3/132302972/feaf405e.pdf
    • https://cdn-cms.f-static.net/uploads/4460071/normal_604b0110d4685.pdf
    • https://static.s123-cdn-static.com/uploads/4406473/normal_5fee2d757d6f9.pdf
    • http://yarrebitteh.online/tumutdr87l.pdf
    • http://neojust.ru/why_is_my_petsafe_wireless_transmitter_beepingbcw2c.pdf
    • https://static.s123-cdn-static.com/uploads/4404122/normal_5ff580a86a553.pdf
    • http://powerpoint4you.ru/starcraft_remastered_download0ef2x.pdf
    • http://ryduslim.website/libros_de_tuti_furlanilm3m.pdf
    • https://kipobibupu.weebly.com/uploads/1/3/4/3/134367270/viluvopaketa-xatopunudas-paputevaxida-gumanazupanuw.pdf
    • http://muzoc.xyz/19983359644l854r.pdf
    • http://septiki-rf.website/95415013608z72x9.pdf
    • https://cdn-cms.f-static.net/uploads/4378175/normal_605ef37494edf.pdf
    • https://nusisudarebo.weebly.com/uploads/1/3/4/3/134349377/a73590.pdf
    • http://daddytestit.xyz/98252981188uf0g8.pdf
    • http://spencermcman.us/51921812251hy8xu.pdf
    • https://dakubotamijez.weebly.com/uploads/1/3/2/7/132712147/6856400.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/eb2e250e-f2f7-4f3e-b2de-ceed2fab2224/63621892328.pdf
    • https://5c817321-7c0c-448b-959d-deb1da9fd788.filesusr.com/ugd/19103d_22baf01a3b1d4a2dbb089095916a915b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9b84415f-1260-4ecb-b6ea-8dc561f8c5f5/lepunidixanivebofi.pdf
    • https://uploads.strikinglycdn.com/files/55520cb9-6f8b-426e-b95d-b5edd070f886/bazakogonafubomuvidog.pdf
    • https://uploads.strikinglycdn.com/files/09dc5ba6-0453-43a6-afba-b2cc500f6659/2985041271.pdf
    • https://uploads.strikinglycdn.com/files/385cccf1-710b-4ded-a850-43ea3ec7e44c/best_breast_milk_storage_bags_for_spectra_s1.pdf
    • https://c2267750-1f6d-4c2f-944a-eb302c7f07d7.filesusr.com/ugd/93971e_592f2d298d5e43de8bce3e0f27fb3737.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9d3.bin
861bc6a829acb6c8d0a65ccc10ba3624910a1c73ad790855c6713df59caeaa9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9D3 4788 bytes
font_01_sfnt_off00010a1f.bin
dbf6c1571f3939a59f139bf19dbd46742fd57923d376fbb0614d95b19801b149		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A1F 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.