Malicious PDF — malware analysis report

Static analysis result for SHA-256 27f2103fb91974e9…

MALICIOUS

PDF

75.3 KB Created: 2021-03-19 20:58:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 55b5629cbe02e1e170f485f393de649e SHA-1: 7f2421f8b09457f987e6b9be2107a878f7e4756f SHA-256: 27f2103fb91974e92dbdf665565fa37a6065117da24d7cef0a1eb958320ebe16
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, indicating a link farm or redirection scheme. The heuristic 'PDF_SEO_LINK_FARM' specifically flags the presence of many external PDF links, suggesting an attempt to manipulate search engine results or distribute content through a network of linked documents. The embedded URLs and the document body, though partially corrupted, suggest a lure related to educational materials to drive traffic to malicious domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=anatomy+and+physiology+openstax+college+pdf
    • https://xavivovumerut.weebly.com/uploads/1/3/2/7/132741007/lafafolomatixegebodo.pdf
    • http://xonibiz.22web.org/guidepoint_global_advisors_avis.pdf
    • http://jafalule.22web.org/anemia_de_celulas_falciformes_pediatria_colombia.pdf
    • https://cdn.sqhk.co/zuzememub/gjejahf/knots_guide_free.pdf
    • https://buvaranugabenu.weebly.com/uploads/1/3/0/8/130873820/be50bbee8a30d5.pdf
    • https://bogewugarut.weebly.com/uploads/1/3/1/4/131483108/gafafunabokinoxeb.pdf
    • https://cdn.sqhk.co/simikitivo/im6hebn/tazafasenoran.pdf
    • https://satufimitu.weebly.com/uploads/1/3/4/7/134715308/9382415.pdf
    • https://tivowigelatel.weebly.com/uploads/1/3/4/4/134495783/1abcdfa26.pdf
    • https://cdn.sqhk.co/liminekaj/giSjjFZ/pixel_band_66.pdf
    • https://cdn.sqhk.co/nuditufu/fOhfgcy/telephone_sounds_ringtones.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0f285ee0-1b14-49a2-8a3e-060a2db94812.filesusr.com/ugd/4bf67f_3a5ccadad65b4aa083f968eb9b7caa96.pdf?index=true
    • http://pelubameta.epizy.com/adobe_creative_cloud_error_code_201.pdf
    • https://uploads.strikinglycdn.com/files/9b714caa-ed97-412b-907f-d60ccc044469/81093518079.pdf
    • https://88211235-bf86-4d40-a6ec-a052db2f682e.filesusr.com/ugd/94e5ef_76c4d0804fcf41a8b13a5a6d9f920418.pdf?index=true
    • https://3f46bf15-0a8c-4e80-b3e5-a2e3bf90e008.filesusr.com/ugd/8e6e76_05ba56ab2cf9438aa3e9d139218f2472.pdf?index=true
    • https://uploads.strikinglycdn.com/files/af0a3e02-27dc-429f-bd7a-e8c55ce8ba42/cual_es_el_personaje_principal_de_la_obra_cien_aos_de_soledad.pdf
    • https://0f4267a5-27df-427f-b7ff-de3c6d4a4cd0.filesusr.com/ugd/9e4921_c242c632accd4615a5ac9385fbdd79c1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f9149143-ebdb-4567-8153-0a7cff478ef8/1992_chevy_s10_parts_catalog.pdf
    • https://d89d6b52-6e76-4e18-bccb-bd7428cfddad.filesusr.com/ugd/02beb7_7f8d8fb195be40d0b456e026e4716f66.pdf?index=true
    • http://gowasofejav.rf.gd/nelod.pdf
    • https://6a1e2a5f-c456-4288-b9d5-5378f87870fb.filesusr.com/ugd/076fac_3ff83778a9214a52b3da6bba52112809.pdf?index=true
    • https://9c789f27-b70c-4c9d-9e83-211ee8f99b38.filesusr.com/ugd/bdeb4c_d87f0c2e27f6472c8446e7c91081f4fc.pdf?index=true
    • https://b9a4c3d6-4ccf-4d04-9b0f-c2e9c357e15d.filesusr.com/ugd/e5cbe5_a4dec623830d4771a3252f949d967fc5.pdf?index=true
    • https://592908bf-dd96-48cc-88d9-ffebbdd10d84.filesusr.com/ugd/f34823_759b928955274a50a023e31ca9e57407.pdf?index=true
    • http://vugovule.epizy.com/beef_curry_kerala_style_malayalam.pdf
    • https://uploads.strikinglycdn.com/files/f1da24dd-283b-4483-8678-2f134567bede/project_management_institute_login.pdf
    • https://uploads.strikinglycdn.com/files/df1f15a6-225d-4308-b185-c4e7e196c897/zenopejizukefedu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7da.bin
ee85481d0f4239589107f5f2d1bbce18f29c96b15ee0c69b5ca1770496147b85		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7DA 5632 bytes
font_01_sfnt_off0000faf7.bin
4b9c04828c4641306c0ddc926c47c0dae1fd68c60115c685e2f8a8660e9d79bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAF7 10136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.