Malicious PDF — malware analysis report

Static analysis result for SHA-256 42d38e698026e447…

MALICIOUS

PDF

91.7 KB Created: 2021-03-22 23:11:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 555b2dcb3bca0005d7c24502e14246d0 SHA-1: 2a1ad1ea1559baf3b9fc9067967ac84d3f1fc510 SHA-256: 42d38e698026e44725e6089dd704557d32c2f4c2e2b3a4928e6a14404be7e028
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or distributing further malware. While no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of a malicious document designed to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=what+is+discrepancy+report+in+housekeeping
    • http://wopudenunebuwaz.22web.org/14522969885.pdf
    • https://mixuvuweti.weebly.com/uploads/1/3/1/4/131483588/6f7f24691.pdf
    • http://pedumerik.sportsontheweb.net/how_to_empty_dyson_dc59.pdf
    • https://kapavumir.weebly.com/uploads/1/3/5/3/135313873/792016.pdf
    • https://pesosadat.weebly.com/uploads/1/3/4/8/134885101/5c388.pdf
    • http://xugaguf.mypressonline.com/32262773369.pdf
    • https://papuxivosep.weebly.com/uploads/1/3/4/4/134491017/kexovikib.pdf
    • https://zetitazafoxiz.weebly.com/uploads/1/3/4/0/134040412/7177414.pdf
    • https://welogedaxo.weebly.com/uploads/1/3/3/9/133997457/1a575c.pdf
    • https://laziboxejebemu.weebly.com/uploads/1/3/0/7/130740401/79ed8bc7c525933.pdf
    • https://xekozetona.weebly.com/uploads/1/3/4/5/134508060/giboveruvowowu-pikoxaxisewux-gepiwexajezufe-nilozozi.pdf
    • https://verijijul.weebly.com/uploads/1/3/4/8/134861220/simepop.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fetekovabu.onlinewebshop.net/cesar_aira_la_costurera_y_el_viento.pdf
    • http://laninigetiwaw.rf.gd/advantages_of_extended_family.pdf
    • http://fijumusuxolegoj.atwebpages.com/getting_to_know_god_intimately.pdf
    • http://vidifazitonigi.epizy.com/carnatic_ragas_list.pdf
    • https://168d2a81-f750-40c6-a653-3787650f980d.filesusr.com/ugd/3bcfef_b9f68db815da42f19b62c37cadb27236.pdf?index=true
    • https://aa514bbb-a96e-4bc9-8ff3-0ca2edd1104f.filesusr.com/ugd/3fc21f_c8957b2e70014e2dbd75c3bad1d95a9a.pdf?index=true
    • https://f27bca7f-571c-471d-9e77-92385e6dfcd0.filesusr.com/ugd/9a0fa1_be7f431de66e45918ab450b4b835736b.pdf?index=true
    • https://ed4d48c2-14ea-47f5-a89a-b82193587323.filesusr.com/ugd/8ce377_d1a99d9d470840e993a433190b39929b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8af9ff6c-b904-46e9-97be-1cd8db6a6f34/samsung_galaxy_note_4_user_manual.pdf
    • http://pakafadudu.epizy.com/chhattisgarhi_gana_dj_mein_mp4.pdf
    • https://uploads.strikinglycdn.com/files/91af7ad3-5524-426e-bce0-7ea20923d3ae/what_the_hell_did_i_just_read_book_review.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000110eb.bin
7c4cec6f29b0cef116d6f120de5aa074be96994bc62da4f990cf7f77cbda7c1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110EB 5484 bytes
font_01_sfnt_off000123a1.bin
d4012a96a9ae9e2ce28ac8f2a1201082a376f64e218b6ebb7add6b87a8bbfec2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123A1 11740 bytes
font_02_sfnt_off00014b88.bin
c41fc46809d2260d2d1a821cef6bb00dae560fdbad380da94a93f29d012df54e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B88 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.