Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b86532be97db838…

MALICIOUS

PDF

87.0 KB Created: 2021-06-05 00:59:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1ef572eb36ce7df2079a18e518ebe037 SHA-1: a89929950dba81a9a4ac858e234b0e866947f2a7 SHA-256: 2b86532be97db8386f58802cb58a787723f04ca4c9f8ca629be7535dc15a4161
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many pointing to Weebly and other free hosting services, suggesting a link farm or phishing operation. The document body, though heavily obfuscated, contains text related to song downloads, which is likely a lure to disguise the malicious intent of directing users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=anuraga+karikkin+vellam+songs+mp4+free
    • https://likixolokezixi.weebly.com/uploads/1/3/0/7/130738950/358169.pdf
    • https://wonimigapikil.weebly.com/uploads/1/3/7/5/137509794/dalek-wipenuvez.pdf
    • https://pesibomen.weebly.com/uploads/1/3/4/5/134576470/zekizujemewerew.pdf
    • https://lubumona.weebly.com/uploads/1/3/4/6/134648672/6382031.pdf
    • https://wajufavex.weebly.com/uploads/1/3/4/5/134587400/rivebitek_dibotusuferapun.pdf
    • https://muzikalojex.weebly.com/uploads/1/3/4/0/134012647/gibob.pdf
    • https://dotofufodil.weebly.com/uploads/1/3/5/3/135313806/gevojizig-tumokimitagu-gubufonaxul-rujel.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/07f239bb-c1b9-4b7f-9bec-f7cdaa3137c1/kuwuxitoselugi.pdf
    • https://uploads.strikinglycdn.com/files/99cc45f7-aceb-48be-8708-c7603bf5d83a/brandywine_falls_trail_map.pdf
    • http://betosaxugawi.pbworks.com/f/printable_vinyl_htv_sheets.pdf
    • https://uploads.strikinglycdn.com/files/8d37f8bb-6357-49b5-8773-02b074d323a2/how_to_get_health_regen_augment_mhw.pdf
    • http://pefumugat.pbworks.com/f/ernakulam_district_map.pdf
    • https://uploads.strikinglycdn.com/files/66192143-d6f9-4f48-839b-b5eaef3a21e1/46791910365.pdf
    • http://wixugigir.pbworks.com/f/may_who_full_movie_subtitle_indonesia.pdf
    • https://uploads.strikinglycdn.com/files/08600509-3983-4a22-b5ce-569e8cc54813/78669569608.pdf
    • https://uploads.strikinglycdn.com/files/1cd0962c-ff8e-4479-aff5-f4b4f680d3be/navy_dive_knife.pdf
    • https://uploads.strikinglycdn.com/files/56333d55-38cc-4d71-900c-1fdbe1b1f73d/3.5_magic_of_faerun.pdf
    • https://uploads.strikinglycdn.com/files/5da9ec01-0f44-48c0-94bd-33d2859ba9f3/tesla_model_3_long_range_1_4_mile_time.pdf
    • https://uploads.strikinglycdn.com/files/a7679ba8-2d99-44f0-bd39-92aeb211fb54/is_dominos_garlic_dip_gluten_free.pdf
    • https://uploads.strikinglycdn.com/files/9b454548-b242-4cee-929c-400c2ea9618f/english_grammar_worksheets_for_class_10_cbse_with_answers.pdf
    • http://kafunujazuwo.pbworks.com/f/rokole.pdf
    • http://ravowibosu.pbworks.com/f/windows_8_iso_64_bits_mega.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f042.bin
8edbb16f51093b2d6099fe5b020912ca6cece16309fda018eedb1188ea411bea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF042 5560 bytes
font_01_sfnt_off0000ffc6.bin
75ff0b98e7e8f1b2dcb802e9bd22c43babc0c18c40ac01d23f14aa700916609f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFC6 5420 bytes
font_02_sfnt_off0001123a.bin
46381f9b4c88eb5ba0530953e257cc8c1d9dedc56acc11cd30994cb6c515036b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1123A 11120 bytes
font_03_sfnt_off000138a8.bin
c41fc46809d2260d2d1a821cef6bb00dae560fdbad380da94a93f29d012df54e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x138A8 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.