Malicious PDF — malware analysis report

Static analysis result for SHA-256 43e747361070b1c3…

MALICIOUS

PDF

81.1 KB Created: 2021-03-29 17:26:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc4d145cfdb36ba3677b7b64544532b0 SHA-1: 738e7b2012e5be0b9aa6ea2b9d0c70323a0c1eb4 SHA-256: 43e747361070b1c3bb56288e2da0602763debf34df45c242826fbee1e37a86ba
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, many of which are dynamically generated, suggesting a link farm or SEO poisoning tactic to distribute malicious content. The embedded URLs and the PDF's structure point towards an attempt to redirect users to potentially harmful websites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=saxon+algebra+1+test+answers
    • http://vatidenow.medianewsonline.com/osaka_bay_area_map.pdf
    • https://cdn.sqhk.co/lunosupi/8jeJ6hg/turbo_racing_3d.pdf
    • http://reactivaperu-viabcpi.com/piranha_pit_bike_for_sale_near_meu4i7k.pdf
    • https://cdn.sqhk.co/koxuzofu/2gizJjh/samsung_internet_browser_clear_search_history.pdf
    • http://ruregere.sportsontheweb.net/business_model_template.pdf
    • http://tigadugutuvatix.mygamesonline.org/50633676116.pdf
    • https://cdn.sqhk.co/fivufotimad/jVlMvhN/jukaperef.pdf
    • https://cdn.sqhk.co/letarezetap/qCFbfIF/free_funeral_program_brochure_psd_template.pdf
    • https://cdn.sqhk.co/budajawisore/idibifW/51388534033.pdf
    • https://cdn.sqhk.co/kuretunaba/Bi2PFic/korean_bbq_near_me_open_now.pdf
    • https://cdn.sqhk.co/ruxuzobisu/y1heThd/3d_archery_tournaments_in_texas.pdf
    • https://cdn.sqhk.co/tugitajusow/kf8jfig/episode_guide_peaky_blinders_season_1.pdf
    • http://retamos.mygamesonline.org/gargle_with_apple_cider_vinegar_for_white_teeth.pdf
    • https://cdn.sqhk.co/sipebesoxu/CbT1ghp/everfi_module_5_credit_scores_answers.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://ed8bc375-cd54-49ab-9ddb-988cb5b2fc3d.filesusr.com/ugd/3f3824_14542794d1e84383af76eec5241f0610.pdf?index=true
    • http://mivuzovi.epizy.com/100_protocolos_de_auriculoterapia_gratis.pdf
    • https://27420876-d215-4860-9a72-f48db0d0c320.filesusr.com/ugd/4062c2_9ce926b72aea426a86476c80b6a3cb1d.pdf?index=true
    • https://f18b8dc1-3ce9-44bd-8712-01435d039869.filesusr.com/ugd/b97cba_2bb7c4a8324b496da28ca01fc9d5a9e9.pdf?index=true
    • http://sewadereweben.epizy.com/evento_cerebrovascular_hemorragico.pdf
    • https://c370dac7-4848-4fa0-a6df-94361299e8ba.filesusr.com/ugd/fa6303_65fd4fb8c3cf4797af1b8c25a3fc02b8.pdf?index=true
    • http://tulifal.onlinewebshop.net/75092751856.pdf
    • http://lojosikol.epizy.com/bravely_second_3ds_rom.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1d0.bin
10a07fc969e6c8cf41398fcfefa625e426b29a45b33f3716d0886db1405c0d2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1D0 2900 bytes
font_01_sfnt_off0000ec13.bin
2661880d789eb048a86c80453b43273db26530cf89a5260a600a37b2674eb710		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC13 5048 bytes
font_02_sfnt_off0000fd5b.bin
447e7c740b5af086c2698a78ae86e23061703c7f6e937543dceb04c5b75617d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD5B 12652 bytes
font_03_sfnt_off000126f9.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126F9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.