Malicious PDF — malware analysis report

Static analysis result for SHA-256 34ccfeccc0607da4…

MALICIOUS

PDF

86.6 KB Created: 2021-03-23 13:22:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 08168c2d5d7bd525a3c1a9bb1c4821d7 SHA-1: ae2dbfd2b0612601274e03c7028922d402454926 SHA-256: 34ccfeccc0607da4011e690ec6d5500725c862f73edd8445ac0f70c535318ed0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ML classifiers and ClamAV, specifically flagged for containing a large number of external links designed to create an SEO link farm. The document body, though heavily obfuscated, contains text related to 'Pediatric nasogastric tube insertion guidelines', suggesting a lure to attract users to click on the embedded links. The primary malicious activity observed is the hosting of a link farm, likely to manipulate search engine rankings or distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=pediatric+nasogastric+tube+insertion+guidelines
    • https://cdn-cms.f-static.net/uploads/4410703/normal_603ae7951b790.pdf
    • http://tewazezila.66ghz.com/sheet_metal_forming_fundamentals.pdf
    • https://cdn-cms.f-static.net/uploads/4383912/normal_6038279f60b2d.pdf
    • http://logunej.iblogger.org/tipuxubomubulumutado.pdf
    • http://temipedozut.22web.org/tazubifinamepuzibum.pdf
    • https://static.s123-cdn-static.com/uploads/4415935/normal_5fdfc83c401a9.pdf
    • https://cdn-cms.f-static.net/uploads/4368481/normal_6058f67ebfbd6.pdf
    • https://cdn-cms.f-static.net/uploads/4405654/normal_6024ad5961d92.pdf
    • https://cdn-cms.f-static.net/uploads/4480728/normal_603c1c48b8f5e.pdf
    • https://static.s123-cdn-static.com/uploads/4479226/normal_5ffabd52e639f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xituduriximujat.epizy.com/apa_6th_edition_referencing_style_manual.pdf
    • https://507f79ed-2408-4027-b124-45ed49bded7d.filesusr.com/ugd/2de61b_c65ad13a0d6e401787cdc78d03793331.pdf?index=true
    • https://5c90cfa9-af55-48e2-9430-1f3580382729.filesusr.com/ugd/e2b09b_20318573d2bf4795943ebda2e10fc5d8.pdf?index=true
    • http://fudodub.epizy.com/fallout_76_enclave_entrance_questionnaire_answers.pdf
    • http://xiwaresijo.epizy.com/apheresis_guidelines_uk.pdf
    • https://8a833fea-7c9a-4d2e-a5a7-d3590f42a3e5.filesusr.com/ugd/9aab09_26f88b389223405392893dcc42493a3e.pdf?index=true
    • https://03dfb0eb-7fe6-4188-ad87-ea2b88df7b19.filesusr.com/ugd/f967ac_7dfa8ffc158a4994bb713addbd1021ab.pdf?index=true
    • https://4e4301d6-cc9a-4939-960a-6b497c1efea6.filesusr.com/ugd/d78803_454017d90d8b45caa643907f03417347.pdf?index=true
    • https://e40da922-b0e4-44be-9878-2d4898ccab21.filesusr.com/ugd/3a38e0_8a9e23992a38486c854cd4dc27bef87b.pdf?index=true
    • http://wedutatitupaze.epizy.com/tomafevosadewukid.pdf
    • http://lokeliniju.epizy.com/32429225237.pdf
    • https://bac325b5-3710-4a60-ba01-c1ac5e8a7650.filesusr.com/ugd/c111de_a61a189f32274a10b16dd95884914031.pdf?index=true
    • https://3abcc933-4059-444f-8e65-7077e95f005f.filesusr.com/ugd/44645f_52f29efc71094843abe649ac862c5cb9.pdf?index=true
    • http://kekabifaku.rf.gd/ruvopiduxerevilunaramofup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010070.bin
773eed5f28817f88eb7d448d15e10e02ff6c37b50414b540467a1442128b2cfa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10070 5248 bytes
font_01_sfnt_off00011253.bin
70825644d7bfcba244ea677f2695b9616b55c66c898075c162907c43a74248f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11253 11000 bytes
font_02_sfnt_off0001377a.bin
4ef9506ee11a349461550e6b437e3786686b598308a87786035880d16624999d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1377A 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.