Malicious PDF — malware analysis report

Static analysis result for SHA-256 45cfa953a87f69dd…

MALICIOUS

PDF

82.0 KB Created: 2021-04-17 21:25:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c570a544f8ecc7f1583ff43fbabb05b SHA-1: d76bf0a887861f6a86ec6af856e239a619535fac SHA-256: 45cfa953a87f69dd66d3e63771295e7ca04cddc25bb12fd2318d3215077ae7e4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, suggesting a link farm or redirection mechanism. The document body, though heavily obfuscated, appears to be a lure related to starting a business, which is a common tactic for phishing or malware distribution. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic strongly suggest the document's primary purpose is to drive traffic to malicious or spam sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+to+start+a+sports+clothing+business
    • https://dubilovatigalis.weebly.com/uploads/1/3/4/7/134701517/gunudu.pdf
    • http://lupazul.mywebcommunity.org/bohemian_rhapsody_notes.pdf
    • https://radoxawema.weebly.com/uploads/1/3/0/7/130738714/fijedexuz.pdf
    • http://marketitaly.pro/akhiyan_ch_tu_vasda_video_songh5jty.pdf
    • http://vizit.store/1275209030508d6g.pdf
    • https://ledagesobefe.weebly.com/uploads/1/3/4/3/134367542/5347511.pdf
    • https://pujawemufupu.weebly.com/uploads/1/3/2/6/132680931/9686193.pdf
    • http://gapilojazixo.getenjoyment.net/senofiremu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://paxerakomis.onlinewebshop.net/tinabezan.pdf
    • https://s3.amazonaws.com/baposivarabuj/banudagawok.pdf
    • https://s3.amazonaws.com/defipedibe/what_are_some_good_essay_topics.pdf
    • https://s3.amazonaws.com/wamatasamegu/42180081399.pdf
    • https://uploads.strikinglycdn.com/files/92920066-44a9-48b2-8b7f-b0e3fa1a1cb9/39502903415.pdf
    • https://s3.amazonaws.com/goveruduzewoxu/bavekekumi.pdf
    • https://uploads.strikinglycdn.com/files/ed482001-565b-4adc-bcfb-e7b0d8428d47/2006_vw_jetta_owners_manual_free_download.pdf
    • https://s3.amazonaws.com/xoferuzu/80015431799.pdf
    • http://bekusisit.atwebpages.com/whirlpool_gas_range_parts_diagram.pdf
    • https://s3.amazonaws.com/memobofilenabon/delhi_metro_pink_line_route_map.pdf
    • https://uploads.strikinglycdn.com/files/e75c0c70-efc0-4a73-b0f2-74d9270b3301/muzawososatupi.pdf
    • https://s3.amazonaws.com/tugabijenovili/mexoriderixigaris.pdf
    • https://s3.amazonaws.com/wegugus/23418195667.pdf
    • https://s3.amazonaws.com/samopakamefap/toca_boca_hair_salon_me_apk.pdf
    • https://uploads.strikinglycdn.com/files/464075fd-1057-430c-992b-409075fcdcf0/sosel.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010059.bin
5c1126fabb6be36a9add372d50255abaedfd655d112fd66222e70943c6ce0ea1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10059 5388 bytes
font_01_sfnt_off000112b0.bin
dcffaa5c84bd8661ea7561cd9b123ac5c4e2c465932bf64afe589e04e84d8796		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112B0 11708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.