Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fcc37014c28ea67…

MALICIOUS

PDF

71.4 KB Created: 2021-03-21 23:50:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f16cedde2a8030a079283fd105d7f5d SHA-1: ea5665dd5f59f4a33b2322391acecbc91b374de7 SHA-256: 1fcc37014c28ea67f5a38c8e0e38e2887ee6be9e83b60832ab32b44e9b8411b5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to SEO-optimized content, suggesting a link farm or phishing attempt. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and heuristic firings point towards a malicious document designed to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=a+raisin+in+the+sun+study+guide+questions+and+answers+act+1+scene+2
    • https://cdn-cms.f-static.net/uploads/4473619/normal_5fe91f28318bb.pdf
    • https://cdn.sqhk.co/moxelutedoje/fhjjaev/assassin_s_creed_valhalla_wallpaper_1366x768.pdf
    • https://cdn.sqhk.co/meradipuwiz/sYWOgjl/90290869475.pdf
    • https://static.s123-cdn-static.com/uploads/4449405/normal_5fce8ec53ed13.pdf
    • https://cdn.sqhk.co/tasokuxu/VhcjdMz/sanagelimuni.pdf
    • https://cdn.sqhk.co/vusanutoj/Gaojcie/download_gangstar_crime_city_for_android.pdf
    • https://cdn.sqhk.co/besimiwi/cjhGMFH/pejojezovabekajap.pdf
    • https://cdn.sqhk.co/mudaxomemut/5gdJxhr/panabipatewoveguwa.pdf
    • https://cdn-cms.f-static.net/uploads/4486200/normal_600aab830ed7a.pdf
    • https://cdn-cms.f-static.net/uploads/4380090/normal_602933eaa3f57.pdf
    • https://cdn.sqhk.co/wevexifimur/jgs2Ihf/vasururunazikojidulusu.pdf
    • https://cdn.sqhk.co/nasubivapu/igiLcHj/windows_media_center_fm_radio_tuner_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://254a6a59-343e-4b7e-907c-c4819e171fff.filesusr.com/ugd/decf6f_ab5b239bfc464569a02be42020aff6e4.pdf?index=true
    • https://f48d4657-0741-4d03-86fb-270e41f4932c.filesusr.com/ugd/6166c9_19928ef180a447ada39b4a9f0e476209.pdf?index=true
    • https://3df06c22-1e8a-4082-8cc2-a0fdc0609706.filesusr.com/ugd/d86e81_f2142f5ec7344bc19c03a92b0a6b89d5.pdf?index=true
    • https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_7420559b4c844737994d9a94241541d2.pdf?index=true
    • https://229c3593-bb94-4e5d-9b9f-ca3747df48ef.filesusr.com/ugd/145364_a0fe00a0d3274384bc2ac417f37b10b3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6e95eeb0-7199-4599-9675-284a533d9d43/22786376317.pdf
    • https://4f65501f-cdae-4966-b9db-49b15ad9d196.filesusr.com/ugd/52b593_c0f170f48055402c827f023067e6fd44.pdf?index=true
    • https://uploads.strikinglycdn.com/files/64e33600-7917-4419-a410-45d4d3af1b26/bofipufom.pdf
    • https://cb8582fb-ab29-4f13-bfd4-623ca244ab52.filesusr.com/ugd/d61b30_a5a2a6c62b77444cada2c8994082e88b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d93a.bin
0b823cae97434cedcbf25bcac08f75790f6100dcbc885a993b3c71b141a690b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD93A 5664 bytes
font_01_sfnt_off0000ec8f.bin
fbf8ffa52fd99fe32baafea325be62b7d40340f4d6835798b97ddb9f3fafd092		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC8F 9712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.