Malicious PDF — malware analysis report

Static analysis result for SHA-256 3998c5bdee8e3745…

MALICIOUS

PDF

76.6 KB Created: 2021-03-21 01:19:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd3af4631c2a32a555fd220d2a1463e8 SHA-1: 1fb5a3df93927212704842a6e70eade0340f6f60 SHA-256: 3998c5bdee8e3745e49a880750123dbf63b5f7ce6b672442b84242c7c112d8e2
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many pointing to disposable domains, suggesting a link farm or SEO spam operation. ClamAV and ML heuristics identify it as malicious, likely a phishing or trojan delivery mechanism. The document body, though heavily obfuscated, contains keywords related to 'math worksheets' and is generated by wkhtmltopdf, indicating a potential lure to disguise malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=junior+high+math+worksheets
    • https://cdn.sqhk.co/zowolanazew/jaPrzQP/65531314388.pdf
    • https://cdn.sqhk.co/wazafepel/cCig2fj/guess_the_picture_quiz_ppt.pdf
    • http://vixemifojetinag.sportsontheweb.net/society_and_culture.pdf
    • https://cdn-cms.f-static.net/uploads/4423700/normal_60155659b9767.pdf
    • https://manabuvajej.weebly.com/uploads/1/3/4/8/134847277/xoguxe_podaxawodej_rafufuj.pdf
    • http://ludirobus.getenjoyment.net/cubs_schedule_2020.pdf
    • https://cdn.sqhk.co/rufopunuk/hcQHRgc/afterburner_arcade_controls.pdf
    • https://cdn-cms.f-static.net/uploads/4367667/normal_60469a15dc9c9.pdf
    • https://xugugizebe.weebly.com/uploads/1/3/1/4/131482894/0cc12710de56.pdf
    • http://gajonedorebuko.mywebcommunity.org/nebex.pdf
    • http://modezewop.mygamesonline.org/shadowing_japanese.pdf
    • http://jadogaxarabu.mygamesonline.org/jaluvemodututog.pdf
    • https://mejodedasebedo.weebly.com/uploads/1/3/4/7/134725949/zejojipaxumer_kiwozaxuxov.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c1cb471f-fc5c-4ef2-b3e1-4d0d0d09d135.filesusr.com/ugd/cc5b41_64bbc0c48efa46eba10066c75eb0a76c.pdf?index=true
    • https://fbaba6ab-37cf-477f-82bd-e10a416eccda.filesusr.com/ugd/3c8574_21721bca13444bcd88192bf9b0e3d803.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b8e234d8-6704-4612-be11-070b65143044/64292769921.pdf
    • https://uploads.strikinglycdn.com/files/0d52ac40-f8fd-446a-885b-a9ebe590a48f/weber_smokey_mountain_22.5_cooker_smoker.pdf
    • https://uploads.strikinglycdn.com/files/ba7d23db-519d-45ba-8799-57ea66de5c11/the_story_max_lucado_video.pdf
    • https://8d67285a-e3c5-4820-bb1a-bb91ce1079a6.filesusr.com/ugd/d54300_9c1d3dc123004245807408524a10dead.pdf?index=true
    • https://47c0d0ed-94e3-447f-940a-e265262d053f.filesusr.com/ugd/a43ec6_94eebc8a6de74ad8bd383d63b4365644.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0db50de6-d3cd-452a-a732-1dfea63b103b/united_states_army_symbol_meaning.pdf
    • https://uploads.strikinglycdn.com/files/a4448382-617c-4209-bb66-0a6e428e5dd5/free_download_twilight_2008_full_movie_in_hindi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef2f.bin
e80bef4feb522b596948020f00f03ff959e1a2b50e3b5e7ac0e541f83d90ba61		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF2F 5212 bytes
font_01_sfnt_off000100d1.bin
e305c03331fd32f418ce50736cd38bf5ab28f022d082ce79012188a5ab328326		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100D1 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.