Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d79c871323a7b6c…

MALICIOUS

PDF

79.3 KB Created: 2021-04-04 23:24:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8bcd28ac625c13eff9e182a741f72bad SHA-1: 7375b0024acfccf50c695a0e3b7a01cbbd9dfe9b SHA-256: 4d79c871323a7b6c0e2c43674305ba830935bea7f58ddb8f42828d6bc2b0a8e9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one heuristic specifically identifying a 'PDF link farm' and another flagging it as a 'Phishing Trojan'. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of embedded URLs and the nature of the heuristics suggest the PDF is intended to redirect users to potentially harmful websites, likely as part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=the+night+manager+streaming+season+1
    • http://about-fb-support.com/las_chicas_de_alambre_sinopsis1huyr.pdf
    • https://cdn.sqhk.co/takepoladev/he0Gvih/20639946517.pdf
    • http://uabiomanix.xyz/how_do_cash_dividends_affect_cost_basisvo3mb.pdf
    • http://seamanygau.best/the_greatest_salesman_in_the_world_telugu_free_downloads5bo6.pdf
    • http://tesar-krd.ru/the_end_hot_sauce_scovillepj8rn.pdf
    • http://mexicotop.xyz/79881788792zc1z0.pdf
    • https://cdn.sqhk.co/vasibejovej/ghfonZE/80216826822.pdf
    • http://presalle.xyz/cayman_islands_company_register_number_formatgqvlk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/76de3cec-5eee-409b-a919-767c8c740d84/how_to_use_a_youtube_video_as_a_ringtone.pdf
    • https://aed0ee3a-d217-4696-a563-de9ff15d6c37.filesusr.com/ugd/f80e3f_ec423027ece44fc6868adcdea4eff453.pdf?index=true
    • https://uploads.strikinglycdn.com/files/882f1cfc-30e8-4b64-9137-eb4f571d1c08/jegexusupizabixapo.pdf
    • https://uploads.strikinglycdn.com/files/4df87405-3ecc-4784-ad60-9e7aff3c4df4/gimefabudosokopob.pdf
    • https://uploads.strikinglycdn.com/files/ca1f5bb5-c276-4acc-80f4-8a52b3e0512c/what_is_the_purpose_of_structured_query_language.pdf
    • https://34e51215-b586-4e01-b3ea-a219475a7b91.filesusr.com/ugd/46481b_82e311c1328246a897e981ea0474cd9c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/13039a04-787a-4709-94d5-0ef8ba18a326/geometry_survey_7.3_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/791248db-6224-4e5a-abf2-68551f79fad4/how_to_make_excel_formulas_permanent.pdf
    • https://uploads.strikinglycdn.com/files/aa0496d9-68c1-4ec1-b957-5ed1e4e2ed4e/where_is_the_power_steering_pump_located_on_a_2007_pontiac_grand_prix.pdf
    • https://uploads.strikinglycdn.com/files/d3fa0bb3-4fab-48db-9b41-34755d05367e/maytag_3000_series_washer_f70_code.pdf
    • https://uploads.strikinglycdn.com/files/38964d7a-fe41-4a42-8922-e2b6822f9ce7/newoxuf.pdf
    • https://uploads.strikinglycdn.com/files/c588b236-d9ed-4cef-9edd-4a148f7e9803/walatevalefunixiku.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8c1.bin
d238fdde9327e978cae36619c34ad1e993de1eb61d9bfe0081e6c3930d4dc060		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8C1 5068 bytes
font_01_sfnt_off0000e9d2.bin
1620336da6018abf771a3b64a4739dbc5cc5761e5bcfd31f9568e9163b5e6178		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9D2 2656 bytes
font_02_sfnt_off0000f4d8.bin
b3976ad28991401f3a7e0d936621f3963ed8fd81aff5bedc9e25cf6548b1959b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4D8 2108 bytes
font_03_sfnt_off0000feae.bin
6474f8a7cf45d66e0e04a04e9260e9e51b5e443ddf10229181963a9b09af069a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEAE 10548 bytes
font_04_sfnt_off000122dc.bin
ab0b30550c16f0218ea180a56450acc25083be48fb805cb0f6f475dfa13b8319		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122DC 2832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.