Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a83a908e7a8e9d1…

MALICIOUS

PDF

75.0 KB Created: 2021-06-12 08:12:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 681817d69cc71e7d92adece771fe0731 SHA-1: cf5f627a36b57f121227a6e61c607b7077c52515 SHA-256: 2a83a908e7a8e9d1dcd0550b02a1c2d17e53cc20fd75392d89432fa7cb1e44a5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which are designed to mimic search results for book downloads, indicating a phishing or content-luring attack pattern. The heuristic PDF_SEO_LINK_FARM firing suggests a large number of these links were generated programmatically. ClamAV detection and ML classification strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/pbw?utm_term=angel+of+the+dark+sidney+sheldon+pdf+free+download
    • https://xiwaxodo.weebly.com/uploads/1/3/4/3/134319271/lawigisoxetotidanevi.pdf
    • https://tafajasezo.weebly.com/uploads/1/3/4/3/134312542/sovege.pdf
    • https://cdn-cms.f-static.net/uploads/4373281/normal_6050249c90a87.pdf
    • https://fajevubesupuvax.weebly.com/uploads/1/3/5/3/135387480/a48747d33.pdf
    • https://komimarokobak.weebly.com/uploads/1/3/4/6/134604519/392d47fe5d24.pdf
    • https://nutakofo.weebly.com/uploads/1/3/4/8/134894975/3467576.pdf
    • https://cdn-cms.f-static.net/uploads/4490920/normal_603b366cd365a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xifatarege.pbworks.com/f/fezuzobedupigo.pdf
    • https://uploads.strikinglycdn.com/files/09f07f62-9181-4044-8d41-8375a169ec5a/44048372475.pdf
    • https://uploads.strikinglycdn.com/files/36748766-5164-4c6e-85b6-4a8360eceffe/eragon_book_4_free.pdf
    • http://zikupuzajix.pbworks.com/f/how_to_download_ms_office_on_windows_10.pdf
    • https://uploads.strikinglycdn.com/files/a5608a5c-060c-4130-82de-47a4c920e9c2/how_to_change_a_wick_in_kerosene_heater.pdf
    • https://uploads.strikinglycdn.com/files/92556a5a-46cd-4997-ad67-c67aa33786ad/how_do_you_find_the_magnitude_of_the_normal_force.pdf
    • https://uploads.strikinglycdn.com/files/94c25807-1e98-40a9-80f8-68bb6e3fdc3b/34297093532.pdf
    • http://pibuluwopo.pbworks.com/f/5558612388.pdf
    • https://uploads.strikinglycdn.com/files/29c10920-b6e5-4d5a-823a-a69097279d2f/5_times_table_worksheet_for_grade_1.pdf
    • https://uploads.strikinglycdn.com/files/2615bfc2-a84d-4258-b5d3-853a080b9964/quantitative_analysis_for_management_13th_edition_download.pdf
    • https://uploads.strikinglycdn.com/files/ce590776-165b-4c0f-b5c8-9b71e4043640/maserati_manual_transmission_for_sale.pdf
    • http://mosijiv.pbworks.com/w/file/fetch/144714888/xufewuvotekadif.pdf
    • https://uploads.strikinglycdn.com/files/730553b9-1d0c-442c-9127-0b7ebc7b3c5f/creepy_nights_at_freddys_2_unblocked.pdf
    • https://uploads.strikinglycdn.com/files/2e8f571e-96d6-4cda-a3e8-1a81e728beaa/pokilasujefoxazu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e517.bin
5955f65f8df765cd649b9dd800347b07c3cd363f90a12daad23d142fa371cf8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE517 5552 bytes
font_01_sfnt_off0000f819.bin
5ae572766f7ebb615ca0151741fb5edd00da21d1bc43a85e052403ca4c181701		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF819 10780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.