Malicious PDF — malware analysis report

Static analysis result for SHA-256 242c54e965323f74…

MALICIOUS

PDF

79.2 KB Created: 2021-03-29 15:49:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1f46f3088cd9e16b6638934484b0b744 SHA-1: 48ca1edf2a49365580f55746c43ea7b3d4879dea SHA-256: 242c54e965323f74a8b9b9a4dd62df44cc711e3a738432ac6e3705d4b9c72352
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, suggesting it's part of a link farm or designed to redirect users to malicious sites. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a phishing or content-luring attack pattern, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=the+blockchain+capital+markets+use+cases+pdf
    • http://zimipodetasasa.iblogger.org/maybelle_chet_atkins.pdf
    • https://xilamebi.weebly.com/uploads/1/3/4/5/134598653/finomonotofajawekaze.pdf
    • https://widosutolitidaf.weebly.com/uploads/1/3/4/8/134847614/8b4980dd43db6.pdf
    • http://babbieshop.ru/vixamuxtn5n.pdf
    • http://rexevivejegox.scienceontheweb.net/bank_of_abyssinia_annual_report_2020.pdf
    • http://fasadi.site/what_are_forex_strategiestz3pt.pdf
    • http://gakagebir.mypressonline.com/liwagawakebigujuxir.pdf
    • https://siradukezud.weebly.com/uploads/1/3/4/7/134711866/jiloxopaluvifemo.pdf
    • http://b2b-servis.ru/star_wars_visual_dictionary_rise_of_skywalker7vxvj.pdf
    • http://changepass.online/ukulele_strumming_patterns_4_4d4fg6.pdf
    • https://zapikomamotal.weebly.com/uploads/1/3/1/6/131606370/9270732.pdf
    • http://helplnstagramcontact6088758.com/fusion_juicer_price_walmartlrvz6.pdf
    • https://diwodineguxep.weebly.com/uploads/1/3/4/3/134305573/kowitidafu-dasoxab.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nototen.epizy.com/springform_pan_spaghetti_pie.pdf
    • https://uploads.strikinglycdn.com/files/e38290dd-a954-493a-b91c-4cb140661000/tezosadepakovazerelovasu.pdf
    • https://uploads.strikinglycdn.com/files/73bade45-b803-414d-b370-210b84645bd4/59360688491.pdf
    • https://uploads.strikinglycdn.com/files/06f42f43-8da2-466d-ae19-90af700fb542/financial_markets_and_institutions_11th_edition.pdf
    • https://uploads.strikinglycdn.com/files/8a5ac9f7-924e-4470-b910-c26d90383796/galevazoxosenogitate.pdf
    • http://vesoromu.epizy.com/new_aadhar_card_form_online_apply.pdf
    • http://bumurulepowele.myartsonline.com/zomajajagiviwuwugetuxal.pdf
    • https://uploads.strikinglycdn.com/files/fbb91d1b-68b8-4df1-9dba-9b85e782feb1/o_que__marketing_digital_e_como_funciona.pdf
    • https://uploads.strikinglycdn.com/files/581e45c6-ccb3-44a6-ad41-5bca87371c93/how_to_write_an_essay_about_an_important_person.pdf
    • http://puzegekizizovin.epizy.com/holt_mcdougal_algebra_1_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/59cf60fe-7eb4-4bed-abed-365a04aa1178/delanikafoza.pdf
    • https://uploads.strikinglycdn.com/files/6dab9849-0ebf-464f-91fa-7936830a52f8/how_to_tell_if_someone_is_genuinely_interested_in_you.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7f6.bin
3de3d5f353c981192b9a420b484f7a8c1fac595e0d1fd5b932d06b5de7349f63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7F6 5548 bytes
font_01_sfnt_off00010aa2.bin
4d8823f684c336190d6d5f484389128b3b2beff93603eb05e196208c4bfe90aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AA2 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.