Malicious PDF — malware analysis report

Static analysis result for SHA-256 44ffc66976a3503a…

MALICIOUS

PDF

86.6 KB Created: 2021-05-27 23:55:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f66812195120bf7baeeb1287c67688d SHA-1: 8cbd2fbed0631d058dd2ab17c2d4bb32f6ba0738 SHA-256: 44ffc66976a3503abbe479fcd24f2f013d7115f035d884bd8e22075d471dacad
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic 'PDF_SEO_LINK_FARM' suggests the document contains numerous external links, likely to a network of SEO-optimized PDFs, which is a common tactic for distributing phishing content or malware. While no scripts were explicitly extracted, the presence of embedded URLs and the overall structure point towards an attempt to redirect users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://static.s123-cdn-static.com/uploads/4454051/normal_5fe51b2a25ffc.pdf
    • https://static.s123-cdn-static.com/uploads/4462066/normal_6005b3ebac745.pdf
    • https://cdn-cms.f-static.net/uploads/4387706/normal_5fd7d97b2c989.pdf
    • https://giruwikepu.weebly.com/uploads/1/3/4/4/134464081/9098817.pdf
    • https://static.s123-cdn-static-d.com/uploads/4454562/normal_60affde779133.pdf
    • https://static.s123-cdn-static.com/uploads/4484118/normal_600819f51110b.pdf
    • https://kimonasisu.weebly.com/uploads/1/3/5/4/135400987/papukuxewerogix.pdf
    • https://cdn-cms.f-static.net/uploads/4460725/normal_60611944a8557.pdf
    • https://cdn-cms.f-static.net/uploads/4377935/normal_6035547d8d1d3.pdf
    • https://static.s123-cdn-static.com/uploads/4484356/normal_5feb45b4ef223.pdf
    • https://jatazuleb.weebly.com/uploads/1/3/4/6/134662889/xojuvikoxuki.pdf
    • https://static.s123-cdn-static.com/uploads/4456660/normal_5fdee39e45d5b.pdf
    • https://cdn-cms.f-static.net/uploads/4463809/normal_5fd2cde807d5c.pdf
    • https://tavadubamik.weebly.com/uploads/1/3/4/4/134473349/daderilefip-xotasoka-tozavule-nakaruv.pdf
    • https://static.s123-cdn-static.com/uploads/4402261/normal_60097e1a5f92d.pdf
    • https://cdn-cms.f-static.net/uploads/4452385/normal_601ad233c00ab.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://feedproxy.google.com/~r/wb/ENAH/~3/G1IkLG9TFNM/wb?keyword=do%20kenmore%20freezers%20have%20a%20reset%20button
    • https://uploads.strikinglycdn.com/files/e3a98cb3-5385-4619-b2e7-19655421faa7/how_to_clean_keurig_mini_before_first_use.pdf
    • https://uploads.strikinglycdn.com/files/2262955e-70bb-4330-805d-e49d9be76564/bamubonerusajona.pdf
    • https://uploads.strikinglycdn.com/files/46bb1ef9-084e-4dd2-be72-c44ef9836252/how_is_daggerfall_so_big.pdf
    • https://uploads.strikinglycdn.com/files/e6b7dd58-bdd1-4dc4-aaf3-7899b79df610/dominion_voting_systems_twitter.pdf
    • https://uploads.strikinglycdn.com/files/d42ed181-783f-412c-be3f-913a3ebcee35/2008_jeep_wrangler_unlimited_wheel_specs.pdf
    • https://uploads.strikinglycdn.com/files/f2442fdf-53b0-4472-a3d8-730a971483e1/what_size_battery_does_a_g_shock_use.pdf
    • https://uploads.strikinglycdn.com/files/34ccb409-be31-48c3-8bf4-e79812ba7878/how_long_to_charge_motorola_walkie_talkie.pdf
    • https://uploads.strikinglycdn.com/files/f9b54b6b-6592-4d01-979f-849b1187c03c/48139087181.pdf
    • https://uploads.strikinglycdn.com/files/f8d17053-8a71-4cca-9168-71497f9a72da/how_do_you_make_a_ragged_quilt.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001134e.bin
ff296073ec9f8379733048ef105ec3e497651a1b4d7d6f14408b26d7c49c0c1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1134E 5288 bytes
font_01_sfnt_off00012538.bin
b89a1a412372ed5dae7bbba445ac2f7f2fa39f183dc62be0f5ba6df810bfe7de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12538 11528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.