Malicious PDF — malware analysis report

Static analysis result for SHA-256 475215f9ed279b3a…

MALICIOUS

PDF

91.8 KB Created: 2021-03-18 11:38:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: deb5ea8d69764e00538ad5bb03358f68 SHA-1: d3395ca7cd91bc69f25c3228adba2ec35ec74a4a SHA-256: 475215f9ed279b3abf7b32723cd4d84304a03ad788e37afa23afb9405f9a3697
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics reveal it functions as a link farm, containing numerous external URLs, with a specific focus on SEO manipulation or phishing. The presence of embedded URLs and the detection of PDF_SEO_LINK_FARM suggest the document's primary purpose is to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/aws?utm_term=aeschylus+eumenides+shmoop
    • https://static.s123-cdn-static.com/uploads/4419857/normal_5feb5be47be98.pdf
    • http://gubokiwurajot.iblogger.org/27895984418.pdf
    • http://tizadejaso.getenjoyment.net/81857967866.pdf
    • http://sevowina.medianewsonline.com/65640095342.pdf
    • https://static.s123-cdn-static.com/uploads/4450630/normal_5ff5d42254633.pdf
    • https://cdn-cms.f-static.net/uploads/4486034/normal_603d3b5c46d04.pdf
    • https://cdn-cms.f-static.net/uploads/4459916/normal_602afeed67af8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://4c5ad993-366d-4b3a-aa99-9b6f56583180.filesusr.com/ugd/01e791_b7017dfc325e43d4a7a1cdd97234015a.pdf?index=true
    • https://8c77b9b7-c39b-43d6-9406-6086bd2c0f93.filesusr.com/ugd/ee6770_b3e3a0afdd0b4e7f9a63bfe6d2254241.pdf?index=true
    • http://xododanigijexo.epizy.com/current_practice_of_clinical_electroencephalography_download.pdf
    • https://2ed821ec-8078-4e74-b11b-c5cec6a88262.filesusr.com/ugd/65e777_02915a2ef3a7428aa194b00a6cd46ecb.pdf?index=true
    • https://c8d0f166-86fd-441b-8df5-aa5e6c6c7644.filesusr.com/ugd/f4b3af_c4bda6d6cba84a2fa875ddee95b1fb54.pdf?index=true
    • http://bupagiji.epizy.com/favofodukulegudofinila.pdf
    • https://e5447efa-8854-4d04-834e-f0bbd7438c8b.filesusr.com/ugd/ac612b_d32099f92dce4ff884e3e4b75172543f.pdf?index=true
    • https://86b7bb9a-6a0b-496c-a062-e8aa60c365d0.filesusr.com/ugd/dcf311_7e6fff87c76549b8a7551b0d444797b7.pdf?index=true
    • http://xijevilofut.rf.gd/zebikatakerigeketelapili.pdf
    • https://72a23b54-95c1-47c0-80d6-f7b1310faeb8.filesusr.com/ugd/65b209_edee53c14d08416ab65144eaa224afe4.pdf?index=true
    • https://b1c30c75-ab46-439a-884d-3836ae4b8a49.filesusr.com/ugd/2d1648_1beb54990fc94efc8f7236db2ddaec7a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011d86.bin
55c86fcc2c041f73195af26282107b1cc288b1535aae8f9864c43bbdc7ead80a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D86 4900 bytes
font_01_sfnt_off00012dfe.bin
a5686d6b0d0b651bc1ed0f14960970ab98256a7400c9ff1fe6b6006bad1c968f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DFE 11176 bytes
font_02_sfnt_off00015453.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15453 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.