Malicious PDF — malware analysis report

Static analysis result for SHA-256 3dff198eb26c734f…

MALICIOUS

PDF

71.0 KB Created: 2021-03-15 19:47:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 168090e8a025f2732d6fec21395feb8f SHA-1: 783a1a9e212bbfda92bfac81f3230db55882db17 SHA-256: 3dff198eb26c734ff80cb3a1ef9574751ea48849e78625117a163ee00dad133a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was identified as malicious by a ML classifier and ClamAV, flagging it as a phishing trojan. It contains a large number of external links, many pointing to PDF files hosted on services like Weebly, suggesting a link farm or SEO manipulation tactic. The document body is heavily obfuscated and unreadable, but the presence of numerous external links indicates an attempt to redirect the user to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=rational+numbers+class+8+notes+pdf
    • https://vaxejoxumede.weebly.com/uploads/1/3/5/3/135346770/ronasu-dilogaxaguf-petadawalipegi.pdf
    • https://tijagure.weebly.com/uploads/1/3/1/3/131398232/xalekiso.pdf
    • https://mavitebe.weebly.com/uploads/1/3/1/1/131163983/verirafojizigej_lelinasirapupug_lisiperonakujaz.pdf
    • https://cdn.sqhk.co/miwiwefe/2WVebie/rock_music_ringtone_song.pdf
    • https://cdn.sqhk.co/pevedapev/jdica91/72894115218.pdf
    • https://kibinopojisetux.weebly.com/uploads/1/3/4/6/134662243/kirak.pdf
    • https://razivizufizide.weebly.com/uploads/1/3/4/5/134525322/f6b4e07a67e5.pdf
    • https://cdn.sqhk.co/javijaxim/iMKWwyz/28213826108.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://muparokaxewidad.rf.gd/hey_jude_easy_piano_sheet.pdf
    • https://s3.amazonaws.com/kavalukato/tebegigumisesegupo.pdf
    • https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_2b2704f782a04df7b0ef52bda9a0b8ce.pdf?index=true
    • http://getakufo.epizy.com/abn_form_australia.pdf
    • https://19e6fc83-c281-4d06-93fd-e8b16a02b90a.filesusr.com/ugd/ce5d00_8d3a4fc937e14933a92eeeca9fcbef98.pdf?index=true
    • https://02ee9779-94d6-4ec7-959f-c0f99fe19a35.filesusr.com/ugd/cdc607_85cc997cca734183a1adcdffff902786.pdf?index=true
    • https://08c3cc13-1ce0-4add-927e-a3aed263473e.filesusr.com/ugd/ccf397_ed640f1de54f4890928aa6fe6a3a6148.pdf?index=true
    • https://s3.amazonaws.com/pezofut/ripuji.pdf
    • https://af18ad75-7652-4b25-b9e0-8da5fded0af1.filesusr.com/ugd/529385_43c08e09f9c94841bf5aa1fb84ee5c39.pdf?index=true
    • https://2a4b29e6-a790-453e-81e7-e8b9caf2c27b.filesusr.com/ugd/bf0735_88cd4ccfa47c4ab8bb3411aa2f57847b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d6f5.bin
d3a20a61a10a09a25e388b61cf481232553ca74af5a50af4ce28f3745b2d2d10		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6F5 5640 bytes
font_01_sfnt_off0000ea08.bin
59bf73ab5a99ec289c6d9ea960e64a7b56160ba5e2c5689afba313a23dd7f4b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA08 10824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.