Malicious PDF — malware analysis report

Static analysis result for SHA-256 41e1c528a57f49a1…

MALICIOUS

PDF

80.9 KB Created: 2021-03-24 23:30:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d05c1d30444786d5fda999f776daea2b SHA-1: 1e9449f44adddc35174f0a1bda3c986befd53f60 SHA-256: 41e1c528a57f49a1bfad23ab3866f7dea9dc886b145fcaeb6161e9e714134fe7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with one heuristic specifically identifying a 'PDF_SEO_LINK_FARM' pattern. The document body, though partially corrupted, suggests a lure related to 'Ark Survival Evolved'. The presence of multiple external URLs and a high ML classification score indicate a malicious intent, likely to redirect users to phishing sites or download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=ark+survival+evolved+solo+play+guide
    • https://cdn-cms.f-static.net/uploads/4447437/normal_5fe66d364e557.pdf
    • https://cdn-cms.f-static.net/uploads/4452169/normal_6047f48aa7821.pdf
    • https://cdn-cms.f-static.net/uploads/4384628/normal_6029ce6bba796.pdf
    • https://cdn-cms.f-static.net/uploads/4375525/normal_6042ecbfcde63.pdf
    • https://cdn-cms.f-static.net/uploads/4376852/normal_6024557705c79.pdf
    • http://romodiresabujum.22web.org/repilorikeditapowonofezab.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://19f621d4-ab03-49b5-bf1d-c78de40104d4.filesusr.com/ugd/bc84a3_7eac3b2c1b094756b09e30782fcc6dac.pdf?index=true
    • http://bufifotuxif.rf.gd/retrocalcaneal_bursitis.pdf
    • https://uploads.strikinglycdn.com/files/4d9c4b37-d147-4fde-986e-6d9f86bb675b/64945355163.pdf
    • https://uploads.strikinglycdn.com/files/49111d81-13b3-4d3a-9eb8-3bf32da4fa15/how_to_restart_my_kindle_keyboard.pdf
    • https://uploads.strikinglycdn.com/files/9f9ed53a-ddb9-46d7-9f6c-1448cd4f8cb0/how_to_turn_on_a_bosch_dishwasher.pdf
    • https://3568c1c9-c281-4b9a-9ea9-d5d291e0176b.filesusr.com/ugd/e5d8db_8c2ee3205c5f417196bf5dfdc6a3037f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9844391b-7b6a-43aa-9a93-437a1e01c7fc/which_weather_variable_is_the_following_instrument_designed_to_measure.pdf
    • https://3ae4d138-4ba3-4962-98fb-1b98b40a6a82.filesusr.com/ugd/38062a_d627dd4f2d4d49a9bdc165a24eac0014.pdf?index=true
    • http://xofuzugavup.epizy.com/49419992027.pdf
    • https://uploads.strikinglycdn.com/files/653c494d-0db7-4b06-aa9e-03e708abf5bd/50732922057.pdf
    • https://uploads.strikinglycdn.com/files/1059579c-bf03-4ed9-8f7c-bf122b1bc0e3/zadef.pdf
    • https://uploads.strikinglycdn.com/files/b48cbdaf-55d1-4413-aa1f-f527d340fd81/roxabepifoxorirewezirosam.pdf
    • https://48bd7725-9370-4d18-884e-e75d7b70c9c4.filesusr.com/ugd/f241d9_e2d448f1a3c4450c9ba7d3fb42cf3049.pdf?index=true
    • https://a9f3490c-def6-45ea-9957-aefa341d54bd.filesusr.com/ugd/84b587_753d6e1270d54003933a15b82d7738e4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe3a.bin
9f34cc562fefa8761abd55f5a1c39932f803a9d303cf413b7b3d23bc14eb8683		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE3A 5344 bytes
font_01_sfnt_off00011087.bin
ea2f007707da9c53cf2de2e6736a3397bb4378255b96783868445f1f8eeb40c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11087 10988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.