Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d61f766aa63eb5e…

MALICIOUS

PDF

84.1 KB Created: 2021-03-17 08:25:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d26039df9e949c3e68695703d0fd2d1c SHA-1: e7a2814aef785f00655d549652cbc6f11cc08f5d SHA-256: 3d61f766aa63eb5e9e2775cda2bc4b8b8963bd758944299e4e5e8fd2560cd22e
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, many pointing to disposable domains, suggesting a link farm or phishing lure. The presence of external URI heuristics and the sheer volume of links indicate an attempt to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=abide+in+the+wind+manga+pdf
    • http://easycreditscore.info/aneurismas_cerebrais_fisiopatologiaxq5lv.pdf
    • http://anarchymedya.com/little_prince_book_quoteshy3qc.pdf
    • http://rupiwot.getenjoyment.net/jubixixaxidijisanisegelu.pdf
    • http://batmbatm.ru/gabonodofebivizexugo5l21c.pdf
    • http://verifedform.com/china_national_anthem_piano_sheet_music4jj1r.pdf
    • http://dewisazovuvoxi.mywebcommunity.org/contribution_of_peter_f_drucker_in_management.pdf
    • http://generatorsale.ru/the_pilgrims_progress_summary_in_hindighiu9.pdf
    • http://rmk4sale.xyz/gamedesign_grow_cube20hsy.pdf
    • http://kamikofonem.mygamesonline.org/xoponiwasal.pdf
    • http://gbo.guru/559142457075vzxe.pdf
    • http://zokiwedilar.mypressonline.com/how_to_use_google_meet_in_google_classroom_youtube.pdf
    • http://kapovulup.mywebcommunity.org/around_the_world_bass_tab.pdf
    • http://fonixeguga.mywebcommunity.org/american_college_of_radiology_guidelines.pdf
    • http://duwinijuj.mypressonline.com/pulijemupe.pdf
    • http://tabikola.online/4757135560349cji.pdf
    • http://kinemulawaw.sportsontheweb.net/lenovo_t420_wifi_drivers_for_windows_10.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/15246bae-1d7f-4228-be24-4d8583ab1592/44757726764.pdf
    • https://uploads.strikinglycdn.com/files/12a47110-d432-44e2-aa96-517227de8dfb/32098674382.pdf
    • https://72858ab8-d36f-4bc2-b208-e5ec56e76d01.filesusr.com/ugd/3a4e0e_bc46fb5777e5441cb3edc575eac4719f.pdf?index=true
    • http://segimoto.myartsonline.com/paediatric_anaesthesia.pdf
    • https://uploads.strikinglycdn.com/files/adc8a5b1-05c9-48a9-a6d5-471237f729fb/what_do_destructive_waves_do.pdf
    • https://bcd7deca-fd5d-492b-a220-d373ca515bc9.filesusr.com/ugd/12f4eb_dd248da60c3244b5bcc5c05e483d4c7c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6b62d9d6-1922-48e0-b893-9e5eccb9b460/prepositional_phrase_worksheet_grade_5.pdf
    • https://6bc61794-ec17-45f1-96eb-8bed4cd57308.filesusr.com/ugd/217b8a_d28727c2c2134365bf0cea729577fbdf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/359716fe-484a-40ab-8bd1-d3397a0346f5/64614592699.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd0d.bin
4da77de3360fde2a99e45121c6c25ace577bac5ba358e49c137e06bebd43b465		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD0D 4304 bytes
font_01_sfnt_off00010c5c.bin
40fbe60679733f666c2eab3dc9f9969c9d074811bac46ea9014af3956ca5e15d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C5C 5368 bytes
font_02_sfnt_off00011e90.bin
90c69e996440b95203fb7b16d49366fd750b69af3caf29d84051facfb5273dc9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E90 10920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.