Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f429768302014fb…

MALICIOUS

PDF

76.1 KB Created: 2021-05-26 18:29:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78f2575b180b12395baf52d3c0c1483d SHA-1: 76d119dd335964e6494fed0ad4d4efd020bdd637 SHA-256: 2f429768302014fbcd538e0ad0949128d15a0b6d1c89ddc448ebf048fe1afdac
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to PDF files hosted on link farm domains, suggesting a SEO spam or phishing campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and extensive external linking are indicative of malicious activity, likely aimed at redirecting users to phishing sites or distributing further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=samsung+washer+dryer+error+code+5c
    • https://xanixozejalupu.weebly.com/uploads/1/3/4/8/134873627/4196980.pdf
    • https://cdn-cms.f-static.net/uploads/4424951/normal_60509461cac21.pdf
    • https://zogadinarele.weebly.com/uploads/1/3/1/4/131409244/xodejotapa.pdf
    • https://tafevivif.weebly.com/uploads/1/3/2/6/132682704/82440.pdf
    • https://zuriloteva.weebly.com/uploads/1/3/4/6/134623588/4288039.pdf
    • https://cdn-cms.f-static.net/uploads/4474462/normal_606bfd8f13e31.pdf
    • https://jomijumad.weebly.com/uploads/1/3/0/9/130970003/napaxitasoxomadavenu.pdf
    • https://static.s123-cdn-static.com/uploads/4488558/normal_5ff910b14ee09.pdf
    • https://gipadakox.weebly.com/uploads/1/3/4/8/134884067/cea23bacf62.pdf
    • https://zavutotarewif.weebly.com/uploads/1/3/1/3/131379951/zakajupokomokeja.pdf
    • https://cdn-cms.f-static.net/uploads/4383295/normal_6041f3a9753cb.pdf
    • https://bomitepoz.weebly.com/uploads/1/3/4/8/134895739/piviw.pdf
    • https://kedixomavej.weebly.com/uploads/1/3/4/0/134017366/zefadaxewag.pdf
    • https://dofixojibol.weebly.com/uploads/1/3/0/8/130874360/2860941.pdf
    • https://nimivumunekal.weebly.com/uploads/1/3/3/9/133999229/cb6af485b4cff1f.pdf
    • https://vubujoxesawuzar.weebly.com/uploads/1/3/4/4/134476738/3f93a0a17.pdf
    • https://popuverixi.weebly.com/uploads/1/3/1/4/131438274/monusomepavebav.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/975cf1d6-09fe-4f94-b7ca-bd0993cf2ed1/xexobesewevelal.pdf
    • https://uploads.strikinglycdn.com/files/55043cb8-10fe-4ed0-ac7f-2df443debdea/40959195622.pdf
    • https://uploads.strikinglycdn.com/files/8958305f-f61f-4cc6-b4e0-623b60aa3e89/605699869.pdf
    • https://uploads.strikinglycdn.com/files/43b7d260-3f43-42af-a75d-46fc4015759e/the_language_of_composition_3rd_edition_activity_answers.pdf
    • https://uploads.strikinglycdn.com/files/3de291f3-f489-45df-bd77-8739bf2c9242/how_to_replace_battery_in_adt_control_panel.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebd3.bin
57223c8c35261f3fc9f6b43075117eac78579e5bbd130c07c5c7d2f44621ec1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBD3 5740 bytes
font_01_sfnt_off0000ff4d.bin
989d85a0dc0d75cbe13b5fd5678a8cbc2fa03e59a868e7ea2e5236b2ee21056a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF4D 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.