Malicious PDF — malware analysis report

Static analysis result for SHA-256 3fa3c6bedc30b7ae…

MALICIOUS

PDF

88.7 KB Created: 2021-03-23 12:47:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 53be1aaf19da1cf1f68d419713e09f60 SHA-1: 76735186d2f81c68e0b830a5556993c434463828 SHA-256: 3fa3c6bedc30b7aee69fbb2ecec00bd7841120cb053444b679e9cec65213169f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, many of which are likely part of a link farm designed to direct traffic to various sites. The heuristic 'PDF_SEO_LINK_FARM' and the presence of numerous URLs strongly suggest this malicious intent. While no scripts were explicitly extracted, the PDF structure and link farm activity are indicative of a phishing or traffic-generation scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=pathfinder+second+edition+release+date
    • https://static.s123-cdn-static.com/uploads/4490725/normal_5fed0e07c4aad.pdf
    • http://airned.ru/bostik_no_more_nails_safety_data_sheetbig6o.pdf
    • https://cdn.sqhk.co/nerutadege/eCQZhif/twist_of_fate_season_2_video.pdf
    • http://tehnikator.ru/how_to_tone_up_legs_in_2_weeksqneic.pdf
    • https://cdn.sqhk.co/togixulala/hibhije/australian_venture_capital_guide.pdf
    • https://static.s123-cdn-static.com/uploads/4412396/normal_5ff278e9599ed.pdf
    • http://regsenatvumen.website/jpg_to_online_merger1jq3h.pdf
    • https://static.s123-cdn-static.com/uploads/4474723/normal_5ff076dcd4da3.pdf
    • https://cdn.sqhk.co/sojowidaz/q9ge1W2/call_of_duty_mobile_game_download_play_store.pdf
    • http://hisgohar.site/nufususrbjb.pdf
    • https://cdn.sqhk.co/wexazaruko/hhKZQ1C/13836192854.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bd15362b-74e7-4526-82a3-86049506df0e/how_do_i_set_my_vivint_thermostat.pdf
    • https://367e539a-c541-4439-991c-4bf2bef2aa7a.filesusr.com/ugd/77d535_fa46ee2564624854bd5929df72b846b8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b96d0551-f6e3-42b9-87e4-e772186520e3/moxezixikofijinolexe.pdf
    • https://uploads.strikinglycdn.com/files/9ed249aa-4624-45de-bfd4-87920d0aa3b3/xovebofegabajotakegedigi.pdf
    • https://uploads.strikinglycdn.com/files/2a77ef1a-80db-4fdd-83ea-d475cf261086/waperamijagabekozo.pdf
    • https://92e0cadd-ca3c-497d-ba7d-1aece6ee6da0.filesusr.com/ugd/008e52_b202ff59d1034149aba6349850eee6cd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/52e0bada-fb5b-4080-96bc-a38358a6fcde/el_libro_de_los_sueos_y_sus_significados.pdf
    • https://87c8fc71-818b-4167-bf0d-2ac3bc49ffd1.filesusr.com/ugd/f9d4cd_bbc9857b8b194620b4cd84764ec0f365.pdf?index=true
    • https://d5bea983-5bca-41ba-aae6-6b688785cc77.filesusr.com/ugd/9ec29b_e3c33a1e6bbc43939aa819f01d61a767.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b7fa9b48-9aea-473b-9d56-69baeb98cacb/catch_me_if_you_can_trailer_2002.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011c1d.bin
bce82db7de053f2d2ecd4ef529c1ea4ed73edca3fa95d7aa60c46506861d958d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C1D 5112 bytes
font_01_sfnt_off00012d7b.bin
d9725ed304c919288d15ed146872f555dfe5d3e49bb9c36fc0be1ef732545f4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D7B 11380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.