Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c405c36cb002b1f…

MALICIOUS

PDF

77.9 KB Created: 2021-03-25 03:23:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 1e3e6c87ec3d115e904dfb1f1848e228 SHA-1: 56e43e57f9529e0bf80a9090715cb4d4b7b34b59 SHA-256: 4c405c36cb002b1f36aa839203c3a6df8000253e1f122422ca587cbdc3513389
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by an ML classifier and contains a significant number of external links, indicating a potential link farm or redirection scheme. While no scripts were explicitly extracted, the presence of embedded URLs and the 'PDF_SEO_LINK_FARM' heuristic suggest an attempt to manipulate search engine results or redirect users to potentially harmful content. The document body is heavily obfuscated, preventing a clear understanding of its intended lure beyond a generic 'teaching resource' theme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=teaching+budgeting+worksheets+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4368466/normal_6054e34e4621c.pdfIn PDF document text
    • https://nozinogut.weebly.com/uploads/1/3/1/1/131164424/699904.pdfIn PDF document text
    • https://kagodititaf.weebly.com/uploads/1/3/4/8/134868324/negizipanonig-zoxetutilij-zuzeloxojaxa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462038/normal_6036e0c0ede7c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382627/normal_602822ca06e96.pdfIn PDF document text
    • https://musekakilex.weebly.com/uploads/1/3/1/4/131406804/sujolufegazobabana.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4379241/normal_5ff4c76859f74.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/0df03931-a9e5-45bc-aab8-ee84bfe72352/e93839_motherboard_ram.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/be1d5079-2e92-41d8-b8d4-1e2b71d6475d/gadixowij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2b0318bb-bc44-4871-acdb-c2b205731772/luwoturak.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/58810c94-a85b-4b65-93a3-76fef50c0216/what_is_programmed_cell_death_ligand-1.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ba8a5b3-ae61-43e2-9b78-3fd9d1ea7f42/ashton_kutcher_twin_sister.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/989d9c77-6b1a-457d-b46b-0b4f80abe18d/will_voyager_reach_another_solar_system.pdfIn PDF document text
    • https://s3.amazonaws.com/xakusineba/komebeje.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ba64ae20-6294-47e5-aa1c-08877fd69d79/nunuvekujifiwatatabila.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0a1b87cc-45d0-4a87-b5ab-e98662d8ec22/lobeleleriruduxafapetewu.pdfIn PDF document text
    • https://s3.amazonaws.com/tisegovofu/arduino_nano_expansion_board_data_sheet.pdfIn PDF document text
    • https://s3.amazonaws.com/fedure/93864227065.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b5c68aa-cd36-4478-9fdd-5ba063b68399/html_tags_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4744810b-6948-457c-ac47-2eef4895e1ae/38725619194.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dbf46c4a-e5bb-419d-97cf-7cdf78a11253/vizio_sb2920-d6_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a599a69-88d0-4a66-9e03-8c229ff990c5/73720276856.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8d3e2623-ad36-4bc1-8788-9016fee5534e/88143530130.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f12d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF12D 5632 bytes
SHA-256: 5dc544c133582de23396fcc57448441bf2f730f88b22fab9d1c8b9a5b03057f2
font_01_sfnt_off00010459.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10459 11056 bytes
SHA-256: 6351879e518cdeae28d4e9a4ef145960a6edb2da2766e2f033059a18f55ca769