Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a87b7dd415ba2a3…

MALICIOUS

PDF

79.3 KB Created: 2021-05-17 06:27:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d4aff3d9e2691ea1abf5762ff8eabc8 SHA-1: b2a0f97955e03c0a6160c22c4dabe51027df3bc7 SHA-256: 2a87b7dd415ba2a3c38663c98cd3c794b3d3985613f548821bb6c86e463dd49d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains a large number of external links, many of which point to potentially malicious domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were directly extracted, the presence of embedded URLs and the nature of the link farm indicate an attempt to redirect users to malicious content, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=the+game+changers+cast+chef
    • https://cdn-cms.f-static.net/uploads/4402960/normal_606406a454a3e.pdf
    • https://static.s123-cdn-static.com/uploads/4379221/normal_5fca5c2e02279.pdf
    • https://static.s123-cdn-static.com/uploads/4450148/normal_5fe0b47f4ee9a.pdf
    • https://cdn-cms.f-static.net/uploads/4425238/normal_6063fa958eb66.pdf
    • https://static.s123-cdn-static.com/uploads/4365584/normal_5ff2695b6d121.pdf
    • https://static.s123-cdn-static.com/uploads/4450148/normal_5fe0b4021a567.pdf
    • https://static.s123-cdn-static.com/uploads/4413982/normal_60025963b07ea.pdf
    • https://static.s123-cdn-static.com/uploads/4502188/normal_60016803c2bc8.pdf
    • https://static.s123-cdn-static.com/uploads/4404512/normal_5fef142db0daa.pdf
    • http://7lessons.website/898961121560nl4k.pdf
    • https://cdn-cms.f-static.net/uploads/4414678/normal_6017b6f973329.pdf
    • https://cdn-cms.f-static.net/uploads/4369646/normal_6052b5300cf0b.pdf
    • https://cdn-cms.f-static.net/uploads/4457586/normal_600ad81a18a00.pdf
    • https://static.s123-cdn-static.com/uploads/4481406/normal_5fce9bf948e66.pdf
    • http://trylait.pro/pazobaredomemujogajoderu3frwg.pdf
    • https://static.s123-cdn-static.com/uploads/4495040/normal_5feddb1ddd93b.pdf
    • https://static.s123-cdn-static.com/uploads/4498868/normal_5fcf3d89990e3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b02b47d5-77a1-4efa-88c8-3c2d4c14e85f/26570022050.pdf
    • https://uploads.strikinglycdn.com/files/679b438e-ce06-407f-95bf-9009390024e7/tm-ac1900_merlin_384.6.pdf
    • https://uploads.strikinglycdn.com/files/3d149b2e-11c3-4a4d-a770-c1adb4b77f1a/meade_etx_90_telescope_tripod.pdf
    • https://2987c0f4-171e-4473-b3f1-a5468658115b.filesusr.com/ugd/75ff8a_e560d8175c32479494d4b597a81f4301.pdf?index=true
    • https://uploads.strikinglycdn.com/files/68133a86-277e-43af-9458-7d72d5879f87/proform_crosswalk_375e_price.pdf
    • https://uploads.strikinglycdn.com/files/ba5a90ba-22fb-4fe7-91ed-8e3fb928a588/wubukisidikegukuvikit.pdf
    • https://571cbd0a-ba82-408d-be6d-2df53a8fcfe5.filesusr.com/ugd/02af14_9885fcc06aa8495998836b056de14d64.pdf?index=true
    • https://44f68060-d5e3-4d58-b4e7-e3760392f352.filesusr.com/ugd/49488e_65f479c01b07489ea88ad814a3919b21.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f68c.bin
9c213c4a8dd4b45c809c857537f1eacefd9a16e26603f08dc3df51e4cb575bc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF68C 5212 bytes
font_01_sfnt_off00010821.bin
26e0df6d3d6265ee373257cbed3231fcdb8655414585f4abe4940b57e0e08cbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10821 11680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.