Malicious PDF — malware analysis report

Static analysis result for SHA-256 313587eaebac3c95…

MALICIOUS

PDF

74.3 KB Created: 2021-03-28 19:01:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: a8593044dfee591403831bcd7474d170 SHA-1: ee3fc46e66c35fe1440408a64a8d57c3b1e00f94 SHA-256: 313587eaebac3c954a836b8e7cf32799cbc952a759454336a7e4332160f53762
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable domains, suggesting a link farm or SEO spam operation. The presence of a 'horoscope' lure in the document body, combined with the external links, points towards a phishing or deceptive content delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=horoscopo+del+profesor+zellagro+sagitario PDF link annotation
    • http://predouche.xyz/what_is_meant_by_concept_of_deterrencen1mmy.pdfIn PDF document text
    • http://lnstagramverifiedsbadgeforms.com/maat_the_eleven_laws_of_godpzdfk.pdfIn PDF document text
    • http://sallely.xyz/garmin_nvi_255_update_kostenlos_20180jb7j.pdfIn PDF document text
    • http://sberhome.ru/sezezejutirikujajilhadmp.pdfIn PDF document text
    • http://fapseo.ru/use_javascript_library_in_typescript09avu.pdfIn PDF document text
    • http://kismyketio.com/christian_dream_symbols_fireworks0j9bs.pdfIn PDF document text
    • http://re-prime.ru/ferrari_458_spider_racing_wheel_pc0v0im.pdfIn PDF document text
    • http://bonifacy.site/manually_activate_office_2010_cmdc0nly.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/eba09711-4bca-4019-a231-2434b75e141a/does_skinny_up_really_work.pdfIn PDF document text
    • https://54570836-76ea-4100-b78f-d1ba4c3cc0d1.filesusr.com/ugd/21ac59_a5a159e7ee734ce39d202963875d5741.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ccd889f-7506-43db-aa0d-fffd68977e0a/chapter_1_the_human_body_an_orientation_review_questions_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fef4f71f-94d1-4b9a-9b93-71ced4b46449/how_to_fix_a_dishwasher_that_is_not_draining.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0294dba9-f75e-47bb-a109-bf3409fd0f4f/92728833526.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c0e3c99-5f85-45ff-9d11-24ecf8e703f2/81125489949.pdfIn PDF document text
    • https://b6f97e74-198a-461d-a312-d71b9712332b.filesusr.com/ugd/a2d007_e13bb2e307f5439c8af16b78ca7a36b5.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c4155df-7cad-4fe1-8282-66e54330360c/48613049508.pdfIn PDF document text
    • https://2cfcb734-ec62-4cd9-b61c-03d4762ad765.filesusr.com/ugd/a891c0_e6097ac433b94ce3885c0a75297cfcf1.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/bfec489c-0d5f-42ad-bd40-fd0cc73a519d/how_to_use_d-link_dir-615_as_access_point.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f77ccab5-8667-4580-b3f5-57fb81d24050/92042689541.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eddbbb1c-94d5-4460-a1f5-32b5330e9604/has_voyager_2_left_the_solar_system.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/524f7a29-2ef1-40b8-9530-e8f1c14e59c2/joposajogem.pdfIn PDF document text
    • https://8ecf7690-1f99-4e28-a4b6-3228ba9731d7.filesusr.com/ugd/63d3ad_8d9fe70c5f4f4e69a975663abd5c758d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/9d3e38a1-f539-4911-b401-aee7f4fdbd24/alexander_hamilton_book_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/56d7b46a-b222-4764-86eb-b036743aa75f/43750499584.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a3a47944-9be4-4243-9357-9b790a666350/rapimijapawev.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e165.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE165 5336 bytes
SHA-256: 2bbc5cd2efcd1f8c23ce5d100ef803aef0544ab2acf933aa90c5fe941af9021c
font_01_sfnt_off0000f3a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF3A2 11780 bytes
SHA-256: 650d7a33f47e3a15b71dea43aaee7ea4b4c7ccd3f51550af1534fe82d43e5fc9

Open this report in the interactive analyzer, or submit your own file for analysis.