Malicious PDF — malware analysis report

Static analysis result for SHA-256 229fdbc4a9a8d478…

MALICIOUS

PDF

89.2 KB Created: 2021-03-31 19:08:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fbb3dd8ea37bd629d0106e7a0d59c4fc SHA-1: 27aa5023527049fa8b5470071b7d7474b7927392 SHA-256: 229fdbc4a9a8d4782526709a7e332ff2a384dcd75b9bea9749290443f3911d97
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing or malicious content distribution scheme, indicated by the presence of numerous external links designed to mimic legitimate download resources. The heuristic PDF_SEO_LINK_FARM firing suggests a deliberate attempt to create a link farm, likely to distribute malware or redirect users to phishing sites. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards an attack pattern focused on luring users to external, potentially malicious, content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=calendar+2020+free+download+pdf
    • http://wizapivizesib.mygamesonline.org/occupational_outlook_handbook_download.pdf
    • https://static.s123-cdn-static.com/uploads/4453889/normal_5fc6a553e8d3c.pdf
    • http://fupefabesosada.mygamesonline.org/4819913117.pdf
    • https://cdn-cms.f-static.net/uploads/4379498/normal_6038bd74618b3.pdf
    • https://jasefeneg.weebly.com/uploads/1/3/4/4/134489721/lejuwag.pdf
    • https://xezafeliwi.weebly.com/uploads/1/3/1/3/131381443/8444384.pdf
    • https://namunobuwuper.weebly.com/uploads/1/3/0/7/130776476/foganir.pdf
    • http://sabafodalukowa.22web.org/building_technology_reviewer.pdf
    • http://matimomewojime.mypressonline.com/pubisusivuwemosivo.pdf
    • https://zuzagidebosoxe.weebly.com/uploads/1/3/4/3/134391670/ledalutu-bunubinebu-moxiwizimova.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zagofij.onlinewebshop.net/mastering_blockchain_packt.pdf
    • http://lopogoroje.rf.gd/pufadamekitununeximus.pdf
    • https://uploads.strikinglycdn.com/files/a5651ac7-b162-4275-a52b-89a90718cae7/gisilofowenagojolidasidev.pdf
    • https://uploads.strikinglycdn.com/files/901738eb-6f5e-47ef-b606-0951485a51c6/pivosa.pdf
    • https://uploads.strikinglycdn.com/files/fec9fa10-40b0-4c0a-b35f-1f0750a2316a/kizejetiduve.pdf
    • https://uploads.strikinglycdn.com/files/55a83d54-e2df-4510-a64e-838bcbdcd30e/51078640909.pdf
    • https://uploads.strikinglycdn.com/files/bafad626-41b9-4b14-b295-cd9d6a277a11/44036367804.pdf
    • http://loziruwofuni.rf.gd/48105405572.pdf
    • https://uploads.strikinglycdn.com/files/ec76e7ed-4672-42aa-9502-92c6263c0409/what_is_224_valkyrie_ammo.pdf
    • http://setuvufijub.epizy.com/football_manager_2015_steam_workshop.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011f01.bin
95300afdb06e994f8d350af31679bf48a23f5b436f5905e1692fbba384470134		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F01 5128 bytes
font_01_sfnt_off00013095.bin
ab7ad5cb3396e40941fe93a508f89aa0c1d618849a238b86f946f7657a1e9f51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13095 11236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.