Malicious PDF — malware analysis report

Static analysis result for SHA-256 21c6ec81f07129ca…

MALICIOUS

PDF

90.3 KB Created: 2021-05-24 02:01:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3fcd196e92e837853c46fcc23aef7673 SHA-1: aa5f81f182fd14f9a86b9f3e629d1d9e6e4b527a SHA-256: 21c6ec81f07129ca95b0197f45c29cc929d6663c7cb0ef83133232c7d10fd6a5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to Weebly-hosted PDFs, indicative of a link farm. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and heuristic firings point towards a malicious document designed to host or redirect to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9919

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fudanologakobur.weebly.com/uploads/1/3/5/3/135394175/sazizofobu_getobof_tidabofesitarew_napisori.pdf
    • https://ritidajadufe.weebly.com/uploads/1/3/4/6/134622671/9473c36.pdf
    • https://cdn-cms.f-static.net/uploads/4416659/normal_6036f534d7758.pdf
    • https://pijusutuwo.weebly.com/uploads/1/3/1/4/131407307/tedidoxozorikug.pdf
    • https://fefaterivigem.weebly.com/uploads/1/3/4/3/134375274/mekigagitegevokoro.pdf
    • https://ribupawotomimam.weebly.com/uploads/1/3/4/6/134694318/luvebu.pdf
    • https://cdn-cms.f-static.net/uploads/4505837/normal_60491393ef5be.pdf
    • https://jotonude.weebly.com/uploads/1/3/1/3/131398177/89c3a4e7717a12.pdf
    • https://wupizesave.weebly.com/uploads/1/3/4/5/134581048/zufodemodipafotifat.pdf
    • https://cdn-cms.f-static.net/uploads/4469106/normal_6021a2e2b6fb0.pdf
    • https://cdn-cms.f-static.net/uploads/4390051/normal_605300a7a9de3.pdf
    • https://befewegumezozem.weebly.com/uploads/1/3/1/4/131453636/2292709.pdf
    • https://cdn-cms.f-static.net/uploads/4453721/normal_604b0a888b9c4.pdf
    • https://dubanivexog.weebly.com/uploads/1/3/4/3/134331992/1890283.pdf
    • https://lonirukigosoz.weebly.com/uploads/1/3/5/9/135965403/zunejugogij.pdf
    • https://gixunilaw.weebly.com/uploads/1/3/1/8/131856646/57b853b.pdf
    • https://fofosefekilom.weebly.com/uploads/1/3/0/8/130813764/mixisowob.pdf
    • https://gigemapafinul.weebly.com/uploads/1/3/1/3/131398374/b1a987ad6.pdf
    • https://sofubozunorupid.weebly.com/uploads/1/3/4/6/134668483/0ed46.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://feedproxy.google.com/~r/wb/ENAH/~3/dN4lCoxrs6M/wb?keyword=g%20shock%20wr20bar%20analog%20time%20setting
    • https://s3.amazonaws.com/penale/what_to_include_in_a_psychology_report.pdf
    • https://s3.amazonaws.com/tadevewuju/60792311707.pdf
    • https://s3.amazonaws.com/pirofopafu/vitunesopujilagadolabe.pdf
    • https://s3.amazonaws.com/vavabi/cooks_essentials_6_qt_pressure_cooker_recipes.pdf
    • https://uploads.strikinglycdn.com/files/d3b1f091-07e9-4c5d-9168-67c7f5658559/redebogejuseki.pdf
    • https://s3.amazonaws.com/midizaxopazeji/what_is_a_sea_monster_called.pdf
    • https://uploads.strikinglycdn.com/files/0f840ee3-956e-4251-b2b2-8b4de3948d3e/unity_select_android_sdk_root_folder_windows.pdf
    • https://uploads.strikinglycdn.com/files/a9a4b0be-5f3b-4f05-be79-92b964f7bbb5/what_is_theory_of_feminism.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f28f.bin
75c83a9aa3f8404bbb76e8179b87cdd3dd529bfdc98bc3e30b6e1b1fa71f7b19		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF28F 5600 bytes
font_01_sfnt_off00010573.bin
8d7f6ac66880a02ee50a4390a9d0a0e70415dc9a7f87ebe14316a3f1c1d30d1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10573 20928 bytes
font_02_sfnt_off000136f2.bin
d5ba6d66c3b13f33ff65e5ab89598ad158011f02ec2133c7a5bc162e79422677		 pdf-font-stream PDF embedded font (sfnt) at offset 0x136F2 16296 bytes
font_03_sfnt_off00014c6b.bin
781b9fae2fb9201b4a05d2041fea553bb2973f1d011ab9c51e3326c72e342c60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C6B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.