Malicious PDF — malware analysis report

Static analysis result for SHA-256 352a163e73fd5a74…

MALICIOUS

PDF

80.4 KB Created: 2021-03-31 22:12:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ce3524d52c10304221f550fac9d6b38 SHA-1: dd56db2e584810a0a08d504db1beac8d6af97dfd SHA-256: 352a163e73fd5a741179a5a1e223f959702de605197360c54c5496ec9de40e93
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains numerous external links, indicative of a link farm designed for SEO manipulation, with one prominent URL suggesting a lure for game downloads. The ML classifier and ClamAV detection strongly indicate malicious intent, likely involving the exploitation of PDF vulnerabilities to execute code. While no scripts were directly extracted, the PDF structure and heuristic firings suggest it acts as a dropper or downloader for further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/123?utm_term=soul+calibur+full+game++for+android
    • http://bobatukuxoto.iblogger.org/bootcamp_driver_windows_7.pdf
    • http://subbellassecret.com/bupemabowalikofifivizdhhx4.pdf
    • http://jasetukuxazep.22web.org/domain_and_range_mapping_diagram_worksheet_answers.pdf
    • http://exampl1214.com/how_to_improve_wood_stove_draftlsovl.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a49a6154-edc8-4132-95a2-c7bb8d673fe9.filesusr.com/ugd/551169_93424566c7244a9bb85bc84ec794ee2d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7e2da56d-5c86-47e9-898c-bcd3dd840674/kenworth_t270_owners_manual.pdf
    • https://uploads.strikinglycdn.com/files/a66515f2-1f3d-4be7-9525-c46f1406d0c4/c_primer_plus_exercise_solutions.pdf
    • https://uploads.strikinglycdn.com/files/0e090ddb-105e-4e31-a4d0-50028fa78672/yamaha_baby_grand_piano_used_for_sale.pdf
    • https://uploads.strikinglycdn.com/files/be5341d6-e521-4b86-932d-268a81b787d4/graham_hancock_bbc_documentary.pdf
    • https://uploads.strikinglycdn.com/files/695de2cb-0b68-4f37-9ad7-95a011e540f1/wogivemifaxuwobon.pdf
    • https://46b09160-81f9-4cb3-9cca-f7b5b0c0229e.filesusr.com/ugd/179cc6_b8fb1708da37440e98e2bc4084277bcd.pdf?index=true
    • http://lededisizu.epizy.com/job_application_letter_format_in_pakistan.pdf
    • https://uploads.strikinglycdn.com/files/87692035-c2c4-420a-979d-41627e04d346/troy_bilt_13at609g766.pdf
    • http://sogoxeme.rf.gd/samigufukudabasu.pdf
    • https://184d393c-d2ff-49e5-bbcb-48626b1dbf88.filesusr.com/ugd/49be48_76606aed05d1498c86e18636586efa0f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a1796d78-38b4-4d97-ad66-984e4a560d19/benenodebeka.pdf
    • https://f26e6bca-ce10-4524-9610-ed5ef7c8d48b.filesusr.com/ugd/ac8c68_e9c74ec9ce41446ab2d3855bfad96505.pdf?index=true
    • https://uploads.strikinglycdn.com/files/28ae1784-9669-4a1a-8d96-c030f48cefdf/fasorojelowetenidinewimi.pdf
    • https://uploads.strikinglycdn.com/files/78381fa9-9608-448a-9d47-6563eca23f3c/sazobezefodugikix.pdf
    • https://28ed73df-463f-41d7-bc87-4635118fd8e0.filesusr.com/ugd/74acc8_d4f2a3bf6e5a4545851467ae8739c010.pdf?index=true
    • https://uploads.strikinglycdn.com/files/78fa2854-0422-4a1e-8233-5d78eb315fed/kuraf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc84.bin
654b7bffca7708a849611c7466418525ff4beb062f45cf6cda6aa6bcca8b6c5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC84 5404 bytes
font_01_sfnt_off00010ecd.bin
5f22ac5eae246953752d033a0b9e31f79e6c69386c318c7438a21f66077af6c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10ECD 10476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.