Malicious PDF — malware analysis report

Static analysis result for SHA-256 301396e3417d26cc…

MALICIOUS

PDF

73.0 KB Created: 2021-03-28 20:30:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 13473a1c68b2ed9ec3b0c7683b059183 SHA-1: d1d8091c2151606692bfcb0efaf5013dea6b8df8 SHA-256: 301396e3417d26cc969c976ac06c6b83af70b8cdaae0b5846b89e254b1c496a2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to other PDFs, suggesting a link farm or SEO manipulation tactic. The ClamAV detection and ML classifier indicate malicious intent, likely related to phishing or malware distribution via these links. No scripts were extracted, but the PDF structure itself is used to host and distribute links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=importance+of+aromatic+plants+pdf
    • https://cdn-cms.f-static.net/uploads/4393900/normal_60110d247192a.pdf
    • https://cdn-cms.f-static.net/uploads/4464303/normal_5fe867d874816.pdf
    • http://sosuziba.mypressonline.com/peptic_ulcer_disease_in_pregnancy.pdf
    • http://lapivakop.getenjoyment.net/easy_guitar_ensemble_music.pdf
    • http://lebuvowune.getenjoyment.net/75840124282.pdf
    • http://xufamorazogubov.sportsontheweb.net/lugotem.pdf
    • https://static.s123-cdn-static.com/uploads/4499651/normal_5fc650fbd1f6d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://891dfe3a-8969-4df2-b253-5ccc4ebbb7a0.filesusr.com/ugd/e66789_87d67b4767de4e689e59405233711d08.pdf?index=true
    • https://2c829bd7-5347-44a5-bcae-da9087253ebb.filesusr.com/ugd/b56239_d7928870a7fe47b8bfd77d21cae1c8f4.pdf?index=true
    • https://44eeb0f0-4dc9-4d8b-b3fd-cc7ace98e90e.filesusr.com/ugd/a083a1_87017df4256243c096f5da5f73692164.pdf?index=true
    • http://kizifisen.rf.gd/what_is_the_effect_of_an_invasive_species_on_an_ecosystem.pdf
    • https://8dac4d01-2cd1-45d2-8b5f-6005f802adc9.filesusr.com/ugd/1f96ce_51033bf12f4e4d528eca690950b1e398.pdf?index=true
    • https://3dbd840c-7861-42b4-b064-af52d1d2f4eb.filesusr.com/ugd/86319b_aa0bda13c9934031a7e586608d31e50d.pdf?index=true
    • https://37bcb4aa-7747-4ff6-a352-0e22bf983c21.filesusr.com/ugd/4393d3_925b69756ddc46afa6d150fe3f4124b2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/321d4e7d-e47a-4bf8-b05e-e32838070bed/g_shock_5146_ga_110_price.pdf
    • https://7c9e9c40-2b96-4f88-8065-b5ff5e495659.filesusr.com/ugd/3bfcae_b9005164337e42a18ffeb0c1f943e7be.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b49193d8-0e30-4e3b-9eb1-c7b6cf775dfc/sodorureruniza.pdf
    • https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_ededc4fa4b704e998a3ea33262d15f8a.pdf?index=true
    • https://681956c7-2c57-495f-b996-d04b50c745b0.filesusr.com/ugd/907d98_cb8c6c391e6144a7b4d2cdb9d645dcae.pdf?index=true
    • http://vekamujibatebig.rf.gd/31199147851.pdf
    • https://75a697d3-84f0-44cf-bab9-f05e37020c50.filesusr.com/ugd/7c3584_fcd7823007494160ab0e36cf660bc146.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc94.bin
04623440ffda1685c6bac6962ebca42e5f7fe70ac3f7bd8d7eeb8693a197ac67		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC94 5236 bytes
font_01_sfnt_off0000de48.bin
b03f56ecbb589f04baf318dea8444550def8818883cf1e4ad46c6d8e4316c33a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE48 10160 bytes
font_02_sfnt_off00010145.bin
541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10145 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.