Malicious PDF — malware analysis report

Static analysis result for SHA-256 45d626dabedee7a0…

MALICIOUS

PDF

73.0 KB Created: 2021-03-19 19:57:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b16f915788c4026078515bc805ec0d44 SHA-1: 55d5d07a17e0bfdf3dde2d351b881eee9e435528 SHA-256: 45d626dabedee7a022398881a301dd485d8577f41561a468fb457be95e5bab03
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying a link farm designed to direct users to various PDF documents. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or distributing further malware. While no scripts were explicitly extracted, the PDF structure and extensive external linking suggest an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=taki+taki+dance
    • http://pakawuwujawo.getenjoyment.net/characteristics_of_project_life_cycle.pdf
    • http://daxavepevepa.mypressonline.com/jomijurinewitobol.pdf
    • http://janafan.scienceontheweb.net/the_advancing_guitarist_free_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://234d5d8d-19c9-4cab-a884-dd0775662658.filesusr.com/ugd/fb7225_501c0748c600467382ef3b3de2b8b9f8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9fb675af-4f37-42c9-be77-7f45c3167f8e/stairway_to_heaven_hawaii_trail_map.pdf
    • https://75a697d3-84f0-44cf-bab9-f05e37020c50.filesusr.com/ugd/7c3584_685bafc87b1f4dff8ead891306397965.pdf?index=true
    • http://lawekapijef.epizy.com/what_is_the_weight_limit_for_a_15_ft_trampoline.pdf
    • https://e0271a52-a7af-48e9-8a99-924ce320ec62.filesusr.com/ugd/be5703_b461dd299af749de8c78e4b7f6ac7e89.pdf?index=true
    • http://fomariwidodazum.rf.gd/olympus_om2_manual.pdf
    • https://c1f973cf-d719-4acb-8f9e-cd83ae4fb94d.filesusr.com/ugd/057766_c9f8ef76afcb4464a96fb09c24412281.pdf?index=true
    • https://e60c805d-b9e1-47fc-b045-983511e9ac1f.filesusr.com/ugd/116bb2_e4348afcec8f47889eadf60aba5ccf2a.pdf?index=true
    • https://a7da3e60-63c8-46c1-a846-eab7df628ed2.filesusr.com/ugd/bba345_0b3e5a7b66bf408b8648d386168e8db5.pdf?index=true
    • https://b23183eb-b2e5-455e-bc25-91fac1efd10f.filesusr.com/ugd/cc14e4_76a216862445408ba969b3b8b75379e1.pdf?index=true
    • https://e1ca4115-fb55-43f9-84f1-eaf814f8c83f.filesusr.com/ugd/18122d_330a4671c276465399887ab841a8fe5a.pdf?index=true
    • http://kadinox.epizy.com/56024126278.pdf
    • https://uploads.strikinglycdn.com/files/336f642a-879c-4ee4-b75e-4b91e8c96cc4/42658733037.pdf
    • http://xubejivulovitam.rf.gd/sat_math_test_7_answers.pdf
    • https://52468903-0e2d-47c5-babb-61e1d305d291.filesusr.com/ugd/32777b_c894500d280c4605bb56d2e0a0a67d6b.pdf?index=true
    • http://vurasoda.rf.gd/surface_area_of_composite_shapes_worksheet.pdf
    • https://d62ff7d9-aefc-4ab8-8cdf-af38868aea16.filesusr.com/ugd/54b9a1_a0a041a0db754266a68e48af790a4167.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d47f.bin
eb1e95e4cf8fb2ba7a4ff49834191ee2d78b50a8c42da34ef6abc4a1227161f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD47F 3700 bytes
font_01_sfnt_off0000e1ae.bin
d1fff7a3b05bad280762034e48bf2cd4bb21933a092c6e0908f2240d92ddae42		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1AE 4640 bytes
font_02_sfnt_off0000f190.bin
d36a2f3cba5f1fa45f1b239c9f6d648900719263113e1d089b28c9ecec3863dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF190 10448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.