Malicious PDF — malware analysis report

Static analysis result for SHA-256 3fbe7ff09e4b0932…

MALICIOUS

PDF

73.0 KB Created: 2021-05-24 04:44:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 524d8bcefbcf225e8aba6b4e2fa561f6 SHA-1: cdc54f0c30e0aaa9cbc977b61a765653d120c46b SHA-256: 3fbe7ff09e4b0932e54e96f85148bebf6969a9aef8db9f8c2883c4abf747fc03
206 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many hosted on disposable domains, suggesting a link farm or SEO manipulation tactic. The presence of a malicious ML classification and ClamAV detection, along with embedded URLs pointing to potentially malicious domains, indicates a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a date, suggesting it was generated programmatically to appear as a download link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/strik?utm_term=bnf+for+child+2018+pdf+free+download PDF link annotation
    • https://felaxifuf.weebly.com/uploads/1/3/5/3/135320117/c4ea47c8e1e8.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4474191/normal_60018a5df2a6c.pdfIn PDF document text
    • https://romugazasemagop.weebly.com/uploads/1/3/4/8/134897733/papusupiweramovefe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409630/normal_601ce46b152d1.pdfIn PDF document text
    • https://fiwobezamarevev.weebly.com/uploads/1/3/2/7/132740324/8298758.pdfIn PDF document text
    • https://nituxokijawagez.weebly.com/uploads/1/3/0/9/130969825/09b6674c12200d0.pdfIn PDF document text
    • https://gimuloge.weebly.com/uploads/1/3/0/7/130775506/8529748.pdfIn PDF document text
    • https://fuwewarudizikip.weebly.com/uploads/1/3/4/6/134644733/mufonodujewog-femiv.pdfIn PDF document text
    • https://buxexuwuf.weebly.com/uploads/1/3/4/6/134660927/4353502.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4418558/normal_5fe50ca2ef91d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4459628/normal_5fca7430d7fc3.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/18aa01f9-a9cc-4ba1-b646-9b2dcf893faa/94679224573.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3ed2177b-ee26-4f06-918b-a3761476ba07/maths_riddles_with_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6d7c1390-5429-4b04-9d5b-ae0db447fda6/how_to_use_wii_classic_controller_on_dolphin.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/17d5da5e-d09c-4405-9b53-48f36e190a35/restoro_license_key_number.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c5b3bbdb-eae3-4645-809f-3a673399cb9b/joboguvevuj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/333c2bcc-737f-45e7-b359-06d97b9fa8d3/56886602802.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f97cc914-857c-4938-9693-5c55e7143bb1/como_hacer_la_cebada_perlada.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/017a069f-6090-4849-9a1e-c48d8a3bcfc4/how_to_get_ogive_in_excel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/485a1ddc-4524-428c-a9dd-29342b3e6e89/jolaranafufojijodarofa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/83fd72c8-374b-46a1-b8a7-c9acf9fc84df/how_to_connect_krk_rokit_5_to_audio_interface.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ed553562-301f-4307-af9f-141beb586190/55679453136.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0280c369-1457-44e2-8566-b0cf7f3038be/35208906249.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8b4b6116-2b04-42aa-bb22-098d3dbf0711/tomaruwawonutelesoti.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f9df88d-c85f-45d2-9d1b-68ed6a674fea/gikujibugorekevit.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df24.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF24 5724 bytes
SHA-256: bb1ba4ca498d1b59edce04944ee0ece1b86c9ffa6326b895e3aa83986695042b
font_01_sfnt_off0000f2bd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2BD 10380 bytes
SHA-256: 56aa90920c72bbfab61ec8541991ff1baef51fcd40a68512825f987738ad0927

Open this report in the interactive analyzer, or submit your own file for analysis.