Malicious PDF — malware analysis report

Static analysis result for SHA-256 367f40d3c3be2c0b…

MALICIOUS

PDF

77.1 KB Created: 2021-02-16 16:53:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c97daebc009fe4a392e73b81e1019ca SHA-1: e0b023e233dd88bd816625a267974b1b6150ae7f SHA-256: 367f40d3c3be2c0b9f742ab0fdb81510dacec6c1672441d3c2489a99ab9a4230
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including PDF_SEO_LINK_FARM and ML_NYX_PDF_MALICIOUS, indicating a high likelihood of malicious intent. The presence of numerous external links, particularly those pointing to PDF files hosted on various domains, suggests a link farm or redirection mechanism. While no scripts were explicitly extracted, the PDF structure and the nature of the heuristics strongly suggest it's designed to lead users to malicious websites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=slinky+lab+interactive+answers
    • https://cdn.sqhk.co/pesegozod/gdcq3hS/rakuwef.pdf
    • https://laropavo.weebly.com/uploads/1/3/4/5/134585926/7387588.pdf
    • https://talunijepi.weebly.com/uploads/1/3/4/5/134599753/gawulivugabaz.pdf
    • http://bonboxstudio.com/594407282035rb7w.pdf
    • https://cdn-cms.f-static.net/uploads/4470402/normal_5fe73b5b4e458.pdf
    • https://static.s123-cdn-static.com/uploads/4476930/normal_5ff22d3f03ec5.pdf
    • https://cdn-cms.f-static.net/uploads/4413701/normal_5fd91dab0d9b6.pdf
    • https://cdn-cms.f-static.net/uploads/4467004/normal_601f1c5517f56.pdf
    • http://tvoeobrazovanie.fun/best_star_map_for_ipad_free2pi52.pdf
    • https://cdn-cms.f-static.net/uploads/4453732/normal_601306fdacf8c.pdf
    • http://kfnwejfnkwheklf.space/the_great_cat_massacrephox7.pdf
    • http://qupieasy.online/hcu_entrance_exam_2017_answer_keyqfub3.pdf
    • https://cdn-cms.f-static.net/uploads/4367911/normal_601e944831de0.pdf
    • https://cdn.sqhk.co/pogezasamu/9hdcjiJ/beli_pulsa_listrik_dari_jenius.pdf
    • https://fofifakexetag.weebly.com/uploads/1/3/4/3/134345684/7657982.pdf
    • https://cdn.sqhk.co/gawagunikuw/jET8gi5/black_and_white_plaid_christmas_tree_skirt.pdf
    • http://lnstagram-blue-ticks.com/polojonuditegaw7753.pdf
    • https://cdn.sqhk.co/leredupodeka/jhdvZhi/cyclebar_jobs_near_me.pdf
    • https://static.s123-cdn-static.com/uploads/4369343/normal_5fdd9df090a05.pdf
    • http://fortuneo.best/best_lunch_sydney_cbd_broadsheet96eas.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc37.bin
65dc43f1c027ebeaabc27c83555e1c0880b3e8145154388d6e422a447f0e254a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC37 5228 bytes
font_01_sfnt_off0000ee8a.bin
100d9dd88b4c0f6f2ebf4d18f2ae5e0f6074b000d41ab8f2321196db204cec14		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE8A 5356 bytes
font_02_sfnt_off000100e7.bin
1df470ad491cb856d295c1ad30c7f559adda78944f5c60c75d0def2164baa763		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100E7 11112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.