Malicious PDF — malware analysis report

Static analysis result for SHA-256 24a0923d1c54eb2a…

MALICIOUS

PDF

78.9 KB Created: 2021-03-31 03:43:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02
MD5: 96042b5be20812271d3b94e6a90a31c6 SHA-1: 5a5d709ed75983c0ef2b7b14a8d05e47fe763326 SHA-256: 24a0923d1c54eb2a853d68e7e5ef114864e6e32a1b48e14baf714895f90d2ec8
234 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF is identified as malicious by ClamAV and ML classifiers, exhibiting characteristics of a link farm and SEO manipulation. It contains numerous external links, including one to 'http://managerprogram.live/sinhala_cartoon_films_mp4zx4wf.pdf', suggesting a phishing or malware distribution attempt disguised as a grammar guide. The presence of multiple suspicious URLs and the overall structure indicate a coordinated effort to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=english+grammar+rules+pdf+download PDF link annotation
    • https://gununoneku.weebly.com/uploads/1/3/4/3/134309052/518230ec73d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4492915/normal_5fd853bd5c2a5.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4497368/normal_5fe4562130271.pdfIn PDF document text
    • http://salet.store/terekijizajakomozedao49nj.pdfIn PDF document text
    • http://usesalle.xyz/jerife1cgac.pdfIn PDF document text
    • http://lestyprin.online/how_to_grow_your_hair_faster_african_american_maleuqai5.pdfIn PDF document text
    • http://busforpay.online/28623870247f7dgg.pdfIn PDF document text
    • https://paluwewokob.weebly.com/uploads/1/3/2/7/132712057/479ab1bcf.pdfIn PDF document text
    • https://zufunukilaje.weebly.com/uploads/1/3/4/8/134888690/patumoragifolebiso.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4450154/normal_5fd65819f0a4c.pdfIn PDF document text
    • http://managerprogram.live/sinhala_cartoon_films_mp4zx4wf.pdfIn PDF document text
    • https://doxabonejanowi.weebly.com/uploads/1/3/4/6/134669922/7055759.pdfIn PDF document text
    • http://zunugopubudo.22web.org/fexazavasefewa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393637/normal_6049e6c327af9.pdfIn PDF document text
    • https://vobuzotoxat.weebly.com/uploads/1/3/4/7/134705481/wegikewoguwowanu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://95043331-d9de-4498-ad98-35b8ac3ee23f.filesusr.com/ugd/5740b2_ef88fc5d34e54354964d0a3fa23c55c7.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/57cee449-8a99-4c1e-9d87-5a03a847c00c/25497625928.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4aec7ff-9bfd-4d7f-9c53-fe441efe16f3/basic_trig_identities_formula_sheet.pdfIn PDF document text
    • https://200ee3fc-349d-4871-b5c3-2c1c69b60476.filesusr.com/ugd/7b00a0_c35d2a03eb6547b88e99905d53c2dfb9.pdf?index=trueIn PDF document text
    • http://wusasozomumag.epizy.com/bypl_new_connection_form.pdfIn PDF document text
    • https://5e9816b5-e261-4a84-a5c7-594b6999e1c8.filesusr.com/ugd/eb2f7d_88a0a1a02e324d30b76b4a7253687e67.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/a6aa01b7-609c-4daa-95df-057d5634b9d5/mayflower_families_through_five_generations_vol._12_francis_cooke.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f514.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF514 5504 bytes
SHA-256: 072f9cf3ca69b2b984b576dfdf3dcefb1e0db3fee8acf50865efdaf24be71f5b
font_01_sfnt_off000107ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x107BA 11116 bytes
SHA-256: dd65e7edb6af1e9f8c99713df5a96998eeab11cc8c843b67ca1376a8f60db775

Open this report in the interactive analyzer, or submit your own file for analysis.