Malicious PDF — malware analysis report

Static analysis result for SHA-256 2dfd9480fd4c8d2a…

MALICIOUS

PDF

93.1 KB Created: 2021-03-20 18:02:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3d5fda265e7830158bf953fcdf48e03 SHA-1: cea5c006d7273fe4041e4eb0ca236b1181d18794 SHA-256: 2dfd9480fd4c8d2ad54cb4386d443595fbb5d9e42dd6251354982305513fec72
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics, including ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains a large number of external links, many of which are part of a link farm, suggesting an attempt to manipulate search engine results or redirect users to malicious content. The document body, though heavily obfuscated, appears to contain keywords related to search engine optimization and PDF generation, further supporting the lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/wix?keyword=waukesha+engine+manual+pdf
    • https://cdn.sqhk.co/wavudasawete/hiMhb8G/bengali_movie_bandhan_mp4_video_song.pdf
    • https://cdn.sqhk.co/nifodotiriru/hEWaigU/who_does_big_baby_davis_play_for_now.pdf
    • https://cdn.sqhk.co/madumubo/ijs0lLD/51163671249.pdf
    • https://cdn.sqhk.co/letarezetap/CDWhbqq/bamogapewinifusofenarilog.pdf
    • http://sitizinudex.getenjoyment.net/how_much_do_starbucks_baristas_make_in_california_2019.pdf
    • http://gejesixave.scienceontheweb.net/how_old_is_google_maps_street_view.pdf
    • http://kinemulawaw.sportsontheweb.net/sennheiser_ew_100_g4-me2_835-s_combo.pdf
    • http://xofofumireke.mypressonline.com/bihar_board_dummy_admit_card_2020_download.pdf
    • https://cdn.sqhk.co/salifera/ajbjcNc/wixapikanepofixaxe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/79d582e4-51ab-41b4-bd7a-68b3c938a9e3/47064155691.pdf
    • https://s3.amazonaws.com/libusamagowuvo/airlift_movie_songs_list.pdf
    • https://s3.amazonaws.com/jarirotexab/wilogu.pdf
    • https://uploads.strikinglycdn.com/files/750df298-032c-4c96-b5b9-64574dcb6a65/pusiwadolaje.pdf
    • https://s3.amazonaws.com/zowibatev/mejivureved.pdf
    • https://s3.amazonaws.com/dorulusof/kimefivobonogadetuxoki.pdf
    • https://s3.amazonaws.com/wixamupelinere/basiremofexuloninitozu.pdf
    • https://3e021c9a-284a-4c54-9ba1-f6d43d4d2ba5.filesusr.com/ugd/a619af_9b2e568b5caa4678ad37bc263a242262.pdf?index=true
    • https://s3.amazonaws.com/kagedatabujo/35242978120.pdf
    • https://uploads.strikinglycdn.com/files/4c0a4393-c0c1-4e06-9301-6b04dd16dba8/how_to_make_roblox_models_in_blender.pdf
    • https://uploads.strikinglycdn.com/files/9311dc59-5318-4750-a2ad-f4c269379884/83720923342.pdf
    • https://s3.amazonaws.com/tedowafomaru/geduzivakudazige.pdf
    • https://s3.amazonaws.com/punurum/baby_love_you_english_new_song.pdf
    • https://fe2b84af-b373-48e0-a714-f820169e3fe9.filesusr.com/ugd/ed1d2e_5aa3144ff8624a93aff9347450c56565.pdf?index=true
    • https://fbaba6ab-37cf-477f-82bd-e10a416eccda.filesusr.com/ugd/3c8574_8faef78541604651a1260b85aa999218.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012c08.bin
5ea20544a798870f7001614b1491d3ee06f1dfd4aa08a3f0d31fad4a35c1ed99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C08 5436 bytes
font_01_sfnt_off00013e7a.bin
c16f9d64c915b1328a7fd906ca3839f2599407e83e3f85e15fdb163b5fcb6c6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E7A 12312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.