Malicious PDF — malware analysis report

Static analysis result for SHA-256 43d8b671a25218f9…

MALICIOUS

PDF

92.6 KB Created: 2021-05-13 12:32:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 352dff4c9c064c388be5c718cfb9da35 SHA-1: e5cd809b43d8871a9dd3c0a3ea8f0842fb9f41cf SHA-256: 43d8b671a25218f929f0532fcff8e1ec65c923ab787281647434f6b312c74af5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, contains metadata related to wkhtmltopdf and a date, but no clear user-facing text. The presence of numerous external URLs, including those hosted on domains like 'seumenha.ru' and 'sqhk.co', strongly indicates an attempt to redirect users to potentially malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=does+home+depot+sell+viking+appliances
    • https://cdn.sqhk.co/nejibija/jAlTA1R/red_bouncy_ball_4.pdf
    • https://bidopafogusiw.weebly.com/uploads/1/3/1/0/131070115/texujaz_pobasazagejik_zosiripezatas.pdf
    • https://cdn.sqhk.co/gikunixa/iiXMTjx/panic_button_movie_trailer.pdf
    • https://cdn.sqhk.co/tisewesir/jh0jjji/vidobosixoxe.pdf
    • http://zugapuvu.mywebcommunity.org/5005104276.pdf
    • https://taxajoberaruvu.weebly.com/uploads/1/3/4/3/134320235/bccbfb.pdf
    • http://jozipuvuwuzaj.mywebcommunity.org/air_force_academy_application_status.pdf
    • http://sejujanovemo.medianewsonline.com/test_automation_using_selenium_webdriver.pdf
    • https://cdn-cms.f-static.net/uploads/4423442/normal_604d754c7e321.pdf
    • https://cdn.sqhk.co/bepeguvovori/YjcLAib/467757376.pdf
    • https://cdn.sqhk.co/vomemubevu/ajdhgie/the_last_ninja_origin_lucky_gift_code.pdf
    • http://jidudilubad.mygamesonline.org/83379159412.pdf
    • https://cdn-cms.f-static.net/uploads/4384159/normal_60218a4eed8e7.pdf
    • https://static.s123-cdn-static.com/uploads/4370319/normal_6001034946eb9.pdf
    • https://degunosusoteri.weebly.com/uploads/1/3/1/4/131453230/4086365.pdf
    • https://cdn-cms.f-static.net/uploads/4459035/normal_601addd6442ad.pdf
    • https://static.s123-cdn-static.com/uploads/4471995/normal_5ff4a5273d229.pdf
    • https://cdn-cms.f-static.net/uploads/4497344/normal_602afa4329e85.pdf
    • https://static.s123-cdn-static.com/uploads/4454171/normal_5fec07bb9c9af.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2df11f50-b425-471b-b09a-9112bc06ba4c/38947933604.pdf
    • https://uploads.strikinglycdn.com/files/651003d8-d88d-4556-9fb3-66ea412acf51/air_force_1_ladies_size_7.pdf
    • http://mobukug.myartsonline.com/bp_brand_identity_guidelines.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012b69.bin
4145c79af7b88d0b6e2ed496c7d4557fd9d8977d921ff5f336550f05730d4e8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B69 5512 bytes
font_01_sfnt_off00013e10.bin
2f5f90f3557b364384b30cd1db1c8f38962188b911149b2517f09584d05e6158		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E10 11572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.