Malicious PDF — malware analysis report

Static analysis result for SHA-256 24a4fb95932eb1dd…

MALICIOUS

PDF

76.0 KB Created: 2021-03-29 23:33:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2cdebd59122fd4ea3ac2b1d2ea6c9364 SHA-1: 62d9ad30c05c8cf99d0e1bb89ecaafa216b2fffe SHA-256: 24a4fb95932eb1dd656952f4c8276b99d53a120da77a8d187c6bf0b818785649
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains a large number of external links, many pointing to potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic indicate the document is designed to redirect users to external sites, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=samsung+un40j5200af+remote+control
    • https://cdn-cms.f-static.net/uploads/4464850/normal_602e7f1350d6e.pdf
    • https://xedafiwiwez.weebly.com/uploads/1/3/2/3/132302754/limexufewasuwe.pdf
    • http://jerimujolegem.medianewsonline.com/what_developer_do_i_use_for_loreal_hicolor.pdf
    • https://cdn-cms.f-static.net/uploads/4445889/normal_60312700e2862.pdf
    • https://cdn-cms.f-static.net/uploads/4467601/normal_602838128fc16.pdf
    • https://cdn-cms.f-static.net/uploads/4368971/normal_603eb91848f32.pdf
    • https://static.s123-cdn-static.com/uploads/4416316/normal_5ffcfb7d98330.pdf
    • http://tefitagesev.mypressonline.com/relation_and_function_definition_in_hindi.pdf
    • https://cdn-cms.f-static.net/uploads/4492245/normal_6043dada67381.pdf
    • https://cdn-cms.f-static.net/uploads/4458849/normal_601bbf18073b3.pdf
    • https://static.s123-cdn-static.com/uploads/4460233/normal_5ffb29af39c5b.pdf
    • https://mogiwivimar.weebly.com/uploads/1/3/4/7/134731652/tuxutuve_zuvezixozo_kugomikenalibe.pdf
    • https://cdn-cms.f-static.net/uploads/4476148/normal_605579ffad41a.pdf
    • http://jalojewaga.mypressonline.com/year_5_spelling_activities.pdf
    • https://ritesevegozuvij.weebly.com/uploads/1/3/1/6/131606822/zunujubarupoxi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7c865ba8-5559-483c-97cb-7fdc8315e4aa/lesson_plan_on_polygons_for_grade_2.pdf
    • https://bd7a0a6f-bbfd-49cc-ba41-c3f2778102d9.filesusr.com/ugd/9ea91e_1caa585557bb4e0bbf75a79a7ab71734.pdf?index=true
    • http://rususekobijo.myartsonline.com/8109601691.pdf
    • https://bad3f395-1638-4667-b349-d6f934eeab49.filesusr.com/ugd/ed2d23_dc01a8d36cc1485bac70b38d237a47f7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/26d5cb45-4c6c-4071-b4e8-86f22002fedf/pioneer_avh-x4700bs_bluetooth_not_working.pdf
    • https://92fbd7ca-8480-4723-bb2c-19523f9dca15.filesusr.com/ugd/29946e_94dac9b926d54339a534a70137a0f2e0.pdf?index=true
    • https://351e5f87-f9e5-4015-92cd-d601692b9ec3.filesusr.com/ugd/a0d0d3_77edfe74ada84059827733baf95a8f8c.pdf?index=true
    • https://dc273c12-e125-4738-b2e6-b96bc4bd5eb7.filesusr.com/ugd/c8df25_7873b4efba6746feaff64ec07242cb07.pdf?index=true
    • https://uploads.strikinglycdn.com/files/11231893-7c62-4de3-8267-cc44f05bc1b0/vuludawaletagedoporo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9a3.bin
5bb9b4c6d244d4a8177182bcf1e78b366c770b0b95ce1a32601483d967b91b68		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9A3 5864 bytes
font_01_sfnt_off0000fd97.bin
0891eb371be81988566dd32f2e9a3d45a934585da34ecda02d0189c80ca15c10		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD97 10780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.