Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e241917873c8061…

MALICIOUS

PDF

110.7 KB Created: 2021-03-19 06:02:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1a3ff9e37f1030e42061722cbf9a9a7c SHA-1: 21af2163113c20fc0689039fa810adf97f655b30 SHA-256: 1e241917873c8061b42167987e2f642ddb263cc362dde06ccc26715712c63e11
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are SEO-optimized to appear as legitimate documents, but lead to potentially malicious sites. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of these links, suggesting a link farm for SEO manipulation or phishing. The ClamAV detection and ML classifier further support its malicious nature, likely serving as a lure to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=acid+base+worksheet+answer+key
    • http://zyzycheat8.xyz/xupelafzyico.pdf
    • https://bovaromekefa.weebly.com/uploads/1/3/4/4/134403346/kajelobuvox.pdf
    • https://cdn-cms.f-static.net/uploads/4383131/normal_60356fd1ee4f6.pdf
    • https://static.s123-cdn-static.com/uploads/4445877/normal_5fdfab053b943.pdf
    • http://moratelusubuzol.22web.org/23494225013.pdf
    • http://merovew.xyz/la_sombra_del_viento_resumen_por_capitulos9z7op.pdf
    • https://raxagipob.weebly.com/uploads/1/3/4/8/134883443/40155f11bcf9f3.pdf
    • http://gomijojupi.iblogger.org/fallout_3_replicated_man_guide.pdf
    • https://rosexanovetaw.weebly.com/uploads/1/3/0/8/130814227/99cebde5d8caf72.pdf
    • https://zimivopup.weebly.com/uploads/1/3/1/3/131381614/7157332.pdf
    • http://xekusevaguviz.iblogger.org/tuxovelojo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/datarofapakil/diroxi.pdf
    • https://d4078116-a2d5-466f-97e6-20d899f6ca30.filesusr.com/ugd/576447_d53bc530ce1c42fc82382d781196bdc4.pdf?index=true
    • https://24451074-f53b-4065-993c-779ba3957988.filesusr.com/ugd/0ae25f_1f69b4f1c4f34a6bbd69f943c81cb9cd.pdf?index=true
    • https://944456f3-75eb-4cd6-bbfd-656b3713ada1.filesusr.com/ugd/2c8d66_70ee8ccfc60e4f2295c203539b74e6e7.pdf?index=true
    • https://s3.amazonaws.com/tufujifinobiro/nonunokitejonivalemeliso.pdf
    • https://s3.amazonaws.com/wifiduxezo/zijezoxinegijeteg.pdf
    • https://ac25a69f-a984-4293-9c3d-8c9e0f062535.filesusr.com/ugd/cbf077_9e9d3e470918410eb1692056dc592c8d.pdf?index=true
    • https://s3.amazonaws.com/mesixadelomomo/colligative_properties_practice_problems_with_answers.pdf
    • https://s3.amazonaws.com/sugowubuf/personal_investment_strategy_template.pdf
    • https://627f215e-41ba-4aa4-9906-5f9f9d117739.filesusr.com/ugd/8ab72e_c49cbe563f8b43f08b360bfc435843ad.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016a6a.bin
a17885b4fd577e0298a64705d5055d2ac7c2363fd7008e9cf236b3df412a17d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16A6A 2828 bytes
font_01_sfnt_off00017464.bin
0f071d1288cb99fab44a5c45cb701e9ace8c2234590d9ebbc60913ac68ecb7fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17464 5384 bytes
font_02_sfnt_off000186c0.bin
d7bdadbe29dcd359cef19fea0e2ec112ff69dd7c95b60620b927adb073c6dff3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x186C0 10520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.