Malicious PDF — malware analysis report

Static analysis result for SHA-256 399b3c5e95be3605…

MALICIOUS

PDF

87.2 KB Created: 2021-04-05 04:48:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 88e1cb7bd60938e09f2da8483b9ee176 SHA-1: 1e5a6e6d95924cec0b9fc1948b7eafac3551a436 SHA-256: 399b3c5e95be3605a8c13cba3fcd6f349ad38dee3883e7b55a015414446c9a75
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting an attempt to manipulate search engine rankings or redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. Although no scripts were explicitly extracted, the presence of numerous external URLs points to a potential download or redirection mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=tata+bluescope+roofing+sheet+dealers+in+madurai
    • https://cdn.sqhk.co/duwewofowus/hhjg1sa/pebowalobuwu.pdf
    • https://garuvopu.weebly.com/uploads/1/3/1/3/131398288/3810028f5b3.pdf
    • https://cdn.sqhk.co/zarepowake/jhiiExk/xozejopefekitomadu.pdf
    • https://cdn.sqhk.co/zesonixiv/gjURR4P/72440322431.pdf
    • https://zatozidebowetam.weebly.com/uploads/1/3/1/3/131398213/depaga.pdf
    • https://sovopedu.weebly.com/uploads/1/3/5/3/135301682/mizodewinuguroj.pdf
    • https://sejevijuwev.weebly.com/uploads/1/3/2/7/132712154/520dbee4.pdf
    • https://cdn.sqhk.co/kavejufa/jcQMUie/mens_save_the_planet_vans.pdf
    • https://feriwixuwegixuf.weebly.com/uploads/1/3/4/6/134602873/sepejubire.pdf
    • https://cdn.sqhk.co/piravasufinu/7jc9Uhd/christmas_wood_cutouts_diy.pdf
    • https://nobujudiwid.weebly.com/uploads/1/3/1/4/131452838/satusumubozuj.pdf
    • https://sipizoreju.weebly.com/uploads/1/3/4/1/134131451/kexofujagaxited_riwavusosafa_vafizegapa_pamezazinep.pdf
    • https://cdn.sqhk.co/mewobonovagi/hcifgjP/53985057233.pdf
    • https://cdn.sqhk.co/womawuxinuge/bgijehb/5660521968.pdf
    • https://kodavagimiwebod.weebly.com/uploads/1/3/5/3/135346487/1770532.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sinadi/galarian_forms_memes.pdf
    • https://uploads.strikinglycdn.com/files/cf483204-dfb2-4e69-9cf5-21bf05d39583/30788915589.pdf
    • https://uploads.strikinglycdn.com/files/ed29439b-9994-4f45-83f5-4a8f7960cef9/jvc_kd_r336_bluetooth_setup.pdf
    • https://s3.amazonaws.com/xetasif/66447272630.pdf
    • https://s3.amazonaws.com/pafexegud/addition_and_subtraction_worksheet_for_class_1.pdf
    • https://s3.amazonaws.com/dezajok/vuvunomexudasinozetidis.pdf
    • https://s3.amazonaws.com/pigolo/24079180020.pdf
    • https://uploads.strikinglycdn.com/files/71d125c5-cabc-4f6e-9d1d-4823b95555e2/60873845644.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010735.bin
2a69545f8a9d104697b847a0f548493cbc920d2d91a2c508c9ca03512f8941e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10735 6416 bytes
font_01_sfnt_off000116ff.bin
2204a551c9f8d87bc5453991ea4fabd02c5f7666dfda89e35d9b36016d2df5f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x116FF 5660 bytes
font_02_sfnt_off00012a08.bin
72f522151cd6b74aadecefafba99c060ed383eab3087698c1483bd2cb59b66dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A08 10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.