Malicious PDF — malware analysis report

Static analysis result for SHA-256 40d1828f97719e3f…

MALICIOUS

PDF

31.0 KB Created: 2020-04-15 22:46:32 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: f1b739d728f154293ca9c2623d8ef04a SHA-1: 6cc793afd26a4987b7933afe84ff565c29dc53d7 SHA-256: 40d1828f97719e3fd46a0faa786d9fb200e3c75c2bf02ddb1be5ff57f90ebfde
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was identified as malicious by a machine learning classifier and ClamAV, which flagged it as Pdf.Dropper.Agent-8420898-0. The primary malicious behavior observed is the presence of a large number of external links, indicating a link farm or redirection scheme designed to lead users to potentially harmful content. The document body contains metadata and embedded URLs, reinforcing the link-based attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-8420898-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8420898-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://teamclm.com/uploads/1/3/0/8/130815115/130815115.html#ikon+adore+you+mp4
    • http://searchitforme.com/uploads/1/3/0/9/130969844/wofujo-lasunuzeru.pdf
    • http://tml-photography.com/uploads/1/3/0/7/130739816/xapad.pdf
    • http://baumanbaps.com/uploads/1/3/0/2/130291971/7720699.pdf
    • http://nowallsministry.net/uploads/1/3/1/4/131453215/kibupolokofezal.pdf
    • http://northernbeacheshousewash.com/uploads/1/3/1/6/131637714/vaworamolopez-bonewibisuworo-fobep-neruva.pdf
    • http://reformasilvatamayo.es/uploads/1/3/0/6/130620353/xuzurata.pdf
    • http://9lazy3leather.com/uploads/1/3/1/3/131380471/1579a8db725d276.pdf
    • http://pearlyandsaltyplum.com/uploads/1/3/0/7/130775603/cbe41b6be1e.pdf
    • http://chai-travel.com/uploads/1/3/0/2/130273913/f5d5ce9e04325.pdf
    • http://r2i-education-affective.com/uploads/1/3/0/5/130590368/xonimodemosusinepod.pdf
    • http://c5events.ca/uploads/1/3/0/7/130775766/516189.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b9a.bin
6d62bf3f37a39143147ede4ad8a93a444b55a76ab7126749269a9751ce6a230a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B9A 6704 bytes
font_01_sfnt_off0000666f.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x666F 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.