Malicious PDF — malware analysis report

Static analysis result for SHA-256 398cc8c5870a4116…

MALICIOUS

PDF

83.8 KB Created: 2021-03-30 20:39:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f5fa06b5145ac204a48361ee1b843717 SHA-1: d215df2a73cce72aae2e4e95a7da1086673bf188 SHA-256: 398cc8c5870a4116b7758adb70a9445bbe826b4b07ed1d79350a0cd7c59441f3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to other PDF files, suggesting a link farm or a mechanism for distributing further malicious content. The ClamAV detection and ML classifier strongly indicate maliciousness. While no scripts were explicitly extracted, the PDF structure and numerous external links suggest it's designed to redirect users to potentially malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=pete+davidson+ariana+grande+song
    • https://firajapototirop.weebly.com/uploads/1/3/1/4/131452771/786748.pdf
    • https://gadonivoxe.weebly.com/uploads/1/3/5/3/135331758/9448124.pdf
    • https://guxitubekin.weebly.com/uploads/1/3/4/2/134267073/4552876.pdf
    • http://job-finder.space/birodso9t9.pdf
    • http://lnstagram-blue-ticks.com/2220638746913ng0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gazivemon/tusotifibodugawafup.pdf
    • https://s3.amazonaws.com/lixisariwulo/dirunekudavuworijaralo.pdf
    • https://s3.amazonaws.com/gekixadonuru/fallen_lauren_kate.pdf
    • https://s3.amazonaws.com/dazutun/wotisavuvojenev.pdf
    • https://68f06c25-eb64-4e0a-94e3-a0e33e610147.filesusr.com/ugd/463ace_bcd6454f5bb0451bac0581d836e4f39a.pdf?index=true
    • https://s3.amazonaws.com/kikunojulejuj/geography_quiz_answers.pdf
    • http://fububosuvakosal.epizy.com/automatic_garage_door_opener_project.pdf
    • https://s3.amazonaws.com/midizaxopazeji/red_old_skool_platform_vans.pdf
    • https://s3.amazonaws.com/suxugipipolazog/art_deco_2_font_free.pdf
    • https://s3.amazonaws.com/dazuxujepov/sovuseb.pdf
    • https://926da24b-d3df-4aea-ac1b-ebdf7359a9e7.filesusr.com/ugd/fef925_9677c11137aa4f67b12a203b8de770cd.pdf?index=true
    • http://xopabaw.epizy.com/runugolitarupovax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3ba.bin
983fd32fa93e4f009a5396765e197ff20dc39a1c7d77a2eb309de9a50b22c61b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3BA 5024 bytes
font_01_sfnt_off0000f4db.bin
e0a4f70859dfc0f04f0c8ff57ad2c08fe25805229f436a048f7ac037503ce4c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4DB 4696 bytes
font_02_sfnt_off000105cb.bin
3508dc12060ea0fae2eac14217d5328b3a57e099398e622a2912cab9b3cbb6ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105CB 10672 bytes
font_03_sfnt_off00012a95.bin
b7d3fe0f0eed6e60c79e5026c6c3c7babf05c9d359090ed5b12ebb11be5d450a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A95 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.