Malicious PDF — malware analysis report

Static analysis result for SHA-256 459cd3c4fc45d13e…

MALICIOUS

PDF

77.7 KB Created: 2021-03-27 16:52:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b89b8a0db08e8583cd42017136a669f SHA-1: b1082db6e278c8cb38534dff58b89ec47717de75 SHA-256: 459cd3c4fc45d13e8fb4ebc1b0ade39cd893d47ca80733153c9cb2e74c296299
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic firings suggest it is part of a link farm designed to distribute malware, with one critical finding pointing to a mass external PDF link farm. The embedded URLs, such as http://microbestdigitalmeter.xyz/41172991271yq7jj.pdf, are likely used to serve the next stage of the attack. The document body, though heavily obfuscated, contains keywords related to invoices and payments, aligning with the SE_INVOICE_LURE heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=accounts+receivable+journal+entry+pdf
    • http://microbestdigitalmeter.xyz/41172991271yq7jj.pdf
    • https://suwodofiwimi.weebly.com/uploads/1/3/4/4/134495338/b4a40.pdf
    • https://movuwopolujot.weebly.com/uploads/1/3/4/2/134266044/mejizori.pdf
    • https://wejuwano.weebly.com/uploads/1/3/1/1/131163718/8216696.pdf
    • http://peramen.22web.org/mawisimital.pdf
    • https://jabibodusap.weebly.com/uploads/1/3/2/6/132681053/geresodumurubesi.pdf
    • https://tivofexogi.weebly.com/uploads/1/3/1/3/131398075/lavenukokurolabux.pdf
    • http://ca-management.website/vudowiraz27a2.pdf
    • http://konujojijitezu.iblogger.org/reforma_anglicana_uma_igreja_nacional_na_inglaterra.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/26e62ead-6241-45fe-9e1a-d9a97b7ed863/75510694724.pdf
    • https://s3.amazonaws.com/liguwubore/recurrent_bell_s_palsy_treatment_guidelines.pdf
    • https://s3.amazonaws.com/wobuzisibal/8841369906.pdf
    • https://uploads.strikinglycdn.com/files/92077813-3e8d-4df0-970e-21f4f641e907/6395331193.pdf
    • https://uploads.strikinglycdn.com/files/8371f6f8-64fa-47f9-9aca-dd404fb0b311/9788195902.pdf
    • https://uploads.strikinglycdn.com/files/0eeaafca-1510-4319-a735-294435ed09c9/56595655295.pdf
    • https://uploads.strikinglycdn.com/files/2cea289d-eda2-46cf-a1e7-42fcf7c7a44a/19462992338.pdf
    • https://uploads.strikinglycdn.com/files/099a7c0a-e2ab-4b77-8043-bad66b198137/vedotewumefedutevo.pdf
    • https://uploads.strikinglycdn.com/files/017067f3-4a3e-4950-bc13-addbad93a568/kamibeso.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e385.bin
d81bea7ecb210dcd11d22ba9c4325137acc757bd300aa6fcbf9ae842bf388911		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE385 5396 bytes
font_01_sfnt_off0000f5f1.bin
84d730c991e7a9a2620635de5370b90f5248ebb56ca2b0cc27c7d7758e0b33ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5F1 10976 bytes
font_02_sfnt_off00011b75.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B75 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.