Malicious PDF — malware analysis report

Static analysis result for SHA-256 457a60308e403202…

MALICIOUS

PDF

75.8 KB Created: 2021-04-03 04:25:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc11c08d08c4a23fddea542edd1b4078 SHA-1: 9e839d3b86eaf3e62cb1b59c27c58db3f2d9e31c SHA-256: 457a60308e403202c6be2d80cdf3bb1d970a5ccb39441188656d5d8649a55b09
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as a phishing trojan and by an ML classifier, indicating malicious intent. It contains a large number of external links, with a critical heuristic identifying it as a 'PDF_SEO_LINK_FARM'. One of the primary external links points to 'https://mezovuduw.ru/wix?keyword=asus+x551m+repair+manual', and another heuristic highlights a link farm starting with 'http://pro-konditer.com/fifipegajhesi.pdf'. The presence of these links suggests the document is designed to redirect users to malicious sites or download further malware, likely as part of a phishing or SEO-based attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=asus+x551m+repair+manual
    • http://pro-konditer.com/fifipegajhesi.pdf
    • http://mylic.ru/orchestration_walter_piston_downloadk5ziq.pdf
    • https://cdn-cms.f-static.net/uploads/4491168/normal_6026ea38e4e63.pdf
    • http://fruitslope.online/78366354285hm4z5.pdf
    • https://cdn-cms.f-static.net/uploads/4464303/normal_6041ee6e629d2.pdf
    • http://businessoutsourcing.org/37461393275r9u81.pdf
    • https://cdn-cms.f-static.net/uploads/4445118/normal_5fd6363e1d8a3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b20aee1f-b1b7-4e4e-be5e-d884e4ece670.filesusr.com/ugd/10e3af_79bd8be3720d4dddbd96ac08c42a0fc2.pdf?index=true
    • https://a519209a-2b0a-481f-9fe9-460c873bdc80.filesusr.com/ugd/270e53_e6bee623166f4d379117d13b060225fb.pdf?index=true
    • https://s3.amazonaws.com/firigugixujotov/subject_verb_agreement_singular_plural_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/01476ce5-2ac3-4614-8edb-ce9ac117ad2e/the_myth_of_sisyphus.pdf
    • https://d4cba69e-f3c5-4a64-9e40-69ba24924691.filesusr.com/ugd/b73feb_3c764b2b7f4b42eb8304c8116702bb48.pdf?index=true
    • https://f3874c2d-c116-49c2-b7b6-9300dc8fc43e.filesusr.com/ugd/b11f6d_6d19403db50843b9aaffeeb326909495.pdf?index=true
    • https://8d684a1e-4078-49cd-b336-05adf09473b6.filesusr.com/ugd/2b25e8_24510ab4e318496daf7b4ee1f55fdcc4.pdf?index=true
    • https://92fed17e-af34-466b-b3fe-38cd9ef27699.filesusr.com/ugd/192d58_bb380ba169704c319883c582135b82b9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d63420d7-6ed8-4603-95c3-c08078a0a7f9/verbal_reasoning_practice.pdf
    • https://s3.amazonaws.com/pexodugosa/hp_officejet_pro_8100_n811a_printhead_missing_failed_or_incompatible.pdf
    • https://c1ab63b4-4781-4901-abeb-f581ed41d26f.filesusr.com/ugd/b44917_f046e431c8be451d9b1efee122c5ccb1.pdf?index=true
    • https://s3.amazonaws.com/panalipolifod/sylvia_plaths_daddy_as_a_confessional_poem.pdf
    • https://uploads.strikinglycdn.com/files/211124a4-0058-4ab6-8589-db4a8ae529ac/cisco_8742_manual.pdf
    • https://f5d5bca3-0ffd-41e3-a77d-3d805a1e43e5.filesusr.com/ugd/4e23ca_2555e4ae42fb4bd79c584342924a12c4.pdf?index=true
    • https://s3.amazonaws.com/jezaxojipevu/namevijogarisiwukinifuket.pdf
    • https://9b321a86-0615-40a7-b684-6dced782f4cc.filesusr.com/ugd/e3cae3_c14f2a2fb0eb4ac99b175b282e9c19be.pdf?index=true
    • https://s3.amazonaws.com/jajoxulabojaso/how_to_get_your_florida_real_estate_license_online.pdf
    • https://9d349da1-218b-4b59-9e37-2a90cab56d40.filesusr.com/ugd/de9003_c557d18161644032a534004dcad113e2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/165d9501-c282-475a-923e-40a02c095dc9/59052630246.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e08b.bin
2d2491dbdd595b1b87f98c1a0ae72f8b14b955a0c7c790045c7ad1475acfa6dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE08B 5196 bytes
font_01_sfnt_off0000f22c.bin
47db033c17a730af606b780eec56ec2b27f14a92f1254b38a8b33bd025bb43f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF22C 15908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.