Malicious PDF — malware analysis report

Static analysis result for SHA-256 251a2228c371e7a2…

MALICIOUS

PDF

71.1 KB Created: 2021-03-05 10:09:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10
MD5: 7f7939cbf0800e1ddabeca7311b798d1 SHA-1: 1a32ec2e15897c6942093c956cacb80b27c36219 SHA-256: 251a2228c371e7a21ce9bdd88e9e5d3e48f0e7fae1f6a6e4e8ab64d0e8ebc3f1
186 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/wix?keyword=graphing+coordinates+worksheet+5th+grade PDF link annotation
    • http://rijewomel.scienceontheweb.net/how_many_military_bases_does_the_us_have_in_germany.pdfIn PDF document text
    • http://tukazijib.22web.org/64101473462.pdfIn PDF document text
    • https://vabeluzaxudi.weebly.com/uploads/1/3/4/8/134884936/5955276.pdfIn PDF document text
    • http://zokidinodajives.getenjoyment.net/organizational_behavior_book_18th_edition.pdfIn PDF document text
    • http://zakewabo.scienceontheweb.net/lagagasugipoxizajubevim.pdfIn PDF document text
    • http://nejupike.mygamesonline.org/nowagoteze.pdfIn PDF document text
    • https://pemugaladesav.weebly.com/uploads/1/3/5/3/135307247/8017845.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/6e73bbeb-4778-4d99-8c34-6a993312152b/27123832636.pdfIn PDF document text
    • http://kujinid.rf.gd/bofat.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0582938a-edd8-4af1-9fc3-5eb5e7c7f9db/59145846826.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab2e63e3-7577-44b3-b695-ccb17abe708f/95411437087.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0594c335-31c7-48f6-93ad-2cf26d9932cf/what_is_the_tone_of_plymouth_plantation.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2fee7283-d5d4-414b-a970-1566469d6bc6/bobekobadubetodepodavezo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec5ae8ad-9635-43c6-a630-8ca671817e3a/best_deck_of_tarot_cards_for_beginners.pdfIn PDF document text
    • http://midotujeg.rf.gd/3d_maker_for_nx.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c92c0284-9345-444b-a00c-5a2021777cd7/the_modern_guide_to_witchcraft_read_online_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d22d0918-27e3-494b-9058-4877154b3ccd/ms_office_word_2007_tutorial_in_telugu.pdfIn PDF document text
    • http://rudozanel.epizy.com/wimezidufuzumupagufijoduj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9820edc9-6a15-476a-a339-e3277cfb13f0/what_colour_represents_magic.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/97e73f88-fe18-49dc-93cf-701ed8e277a2/lonobidimebatexidiji.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/98089a79-b319-445e-a508-380bd936f9ac/did_they_stop_making_ipods.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5e8bb327-ea60-44a2-b86b-8f3a47b201d3/fender_mustang_iv_2x12_150-watt_guitar_combo.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d7d5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD7D5 5612 bytes
SHA-256: 26d9bea210dd6e3f773da1059403ef5ffa1ceaf4691b74637219d84476f70714
font_01_sfnt_off0000eafd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEAFD 10596 bytes
SHA-256: 56516ba1a3be2d74e3a12fe394cb064a7df6979008c1c9cfeda55500e3f325a2

Open this report in the interactive analyzer, or submit your own file for analysis.