Malicious PDF — malware analysis report

Static analysis result for SHA-256 32b8214242681d72…

MALICIOUS

PDF

119.1 KB Created: 2021-03-27 11:28:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2a1a1eb486036591afdc3757a21cf309 SHA-1: d08048276ae09447fd2c1d27241dee964b8ccc44 SHA-256: 32b8214242681d725d239ee1eb43b59f2ee67e574c79d0ef7c7378b1b7124a10
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing operation. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as phishing. The presence of embedded URLs and the heuristic firings related to link farms point towards an attempt to redirect users to malicious sites, likely for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/123?utm_term=nintendo+switch+atmosphere+games
    • https://cdn.sqhk.co/bapisolel/gLgeibQ/39974648743.pdf
    • https://tozusasulinun.weebly.com/uploads/1/3/4/8/134872335/fanesibozedonob_jevepazojiluvis_safop_gadujusowe.pdf
    • https://tolaguse.weebly.com/uploads/1/3/0/8/130814280/bilalo_pizodizetokasik_tixinemuz_xusip.pdf
    • https://bikezurikol.weebly.com/uploads/1/3/4/6/134612173/2864681.pdf
    • http://basujenos.22web.org/johnny_appleseed_activities.pdf
    • http://warupipujamoru.sportsontheweb.net/aircraft_crash_investigation.pdf
    • https://mojabizozawobe.weebly.com/uploads/1/3/4/6/134699592/ratutabar.pdf
    • https://cdn.sqhk.co/zimopiroxab/hdvhjbM/bogub.pdf
    • https://cdn.sqhk.co/xamizine/jgcggNR/average_dental_assistant_salary_us.pdf
    • https://texodixoxi.weebly.com/uploads/1/3/1/8/131857215/radupawofutaxoxefe.pdf
    • https://cdn.sqhk.co/lunabati/iiihiES/mowewetitapejonut.pdf
    • https://naluzakagowu.weebly.com/uploads/1/3/1/4/131411806/1010006.pdf
    • http://jepisafidezegun.scienceontheweb.net/duxabunipedubivegafila.pdf
    • https://zufojemesegogof.weebly.com/uploads/1/3/4/7/134753559/pupegalosepewezu.pdf
    • https://litazivufili.weebly.com/uploads/1/3/4/3/134305244/lonopunuja.pdf
    • http://gukevipagopu.mywebcommunity.org/alice_in_wonderland_jazz_piano.pdf
    • https://dopesitelubi.weebly.com/uploads/1/3/5/3/135307477/4362300.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://mirepili.epizy.com/73188838511.pdf
    • http://xogobitigo.rf.gd/napipubetukaxaxaxegifewu.pdf
    • http://laxolivavaru.epizy.com/82637105496.pdf
    • http://sonasekofuxix.rf.gd/odia_bhajan_songs_lyrics.pdf
    • http://susosutudufat.rf.gd/chupke_chupke_movie_comedy_video.pdf
    • http://zudupaxub.myartsonline.com/where_to_buy_wahl.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017c11.bin
5839050e9ace1c136f608f556561632c85a6d28b3b7b61dc05d5555c041511c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C11 5516 bytes
font_01_sfnt_off00018ec0.bin
5a7ef35c2689e071bc6ab20a319d60979888e6acd39b0a813e1700ace4f2cdf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18EC0 12268 bytes
font_02_sfnt_off0001b8b2.bin
aae202032da2f9d978a80a712c499c49e275c7b72be35fc0219e3b5643caa120		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B8B2 16152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.