Malicious PDF — malware analysis report

Static analysis result for SHA-256 4df7009f2e0614b3…

MALICIOUS

PDF

88.8 KB Created: 2021-03-26 07:01:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 34da7f5d59a0f1dafdbd11bb444237d2 SHA-1: 2a81a04305b16da9dc9eb01231a8426c3c16d969 SHA-256: 4df7009f2e0614b3c02ef20ea8928db19624277f6681c569653e1db7ab5b68cd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm with numerous external URLs, many of which are disguised as downloadable documents. The heuristic PDF_SEO_LINK_FARM indicates a mass of external links, suggesting an attempt to manipulate search engine results or redirect users to malicious content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=balasaheb+shinde+english+grammar+book+pdf+download
    • https://cdn.sqhk.co/lijusute/bwijMhe/96797097060.pdf
    • https://cdn.sqhk.co/fodexuxefeba/gfWiegc/descargar_last_hope_sniper_zombie_war_hackeado.pdf
    • https://cdn.sqhk.co/xawobovuji/jcQjd1p/generalized_anxiety_disorder_dsm_5_ppt.pdf
    • https://rebazizezasij.weebly.com/uploads/1/3/4/5/134586802/xiritak.pdf
    • https://cdn.sqhk.co/pivogokixej/U1dghgh/terimewimol.pdf
    • https://pekatube.weebly.com/uploads/1/3/5/3/135393066/gonufedome.pdf
    • https://cdn.sqhk.co/vekosozob/gjihijs/rovupipilosoxotigusuzifol.pdf
    • https://vejikawotepux.weebly.com/uploads/1/3/4/8/134887167/74fd3c61a78.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://36622f5a-5a1b-41a5-aa98-965156e47ac2.filesusr.com/ugd/804ff6_fc38d7c3e0d242e4bccb996c3c2e27e2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5ea519a1-95f6-4c85-93ac-3dcaa6606723/cfa_level_1_june_2020_curriculum.pdf
    • https://6ddb26ad-aa8e-4a3e-a925-5cef6fc035e1.filesusr.com/ugd/d3d820_6bfc3f3951784c6587b2a1c05fc99c6b.pdf?index=true
    • https://50b7e5d6-ab0e-41ff-bbcb-47d024e5c277.filesusr.com/ugd/45d8ab_4acc315347f3418abdf22b83b69c4f4e.pdf?index=true
    • https://ec2d952e-5494-46d8-b841-fee222248b17.filesusr.com/ugd/9713d5_b483405687ce447887488e510cf3ee7f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e6bb7295-f7b1-4c39-a85e-8c817d6ccc8a/icebreaker_games_for_youth_small_groups.pdf
    • https://3f740848-0e57-4b51-8596-564812021bec.filesusr.com/ugd/cbe17c_755686d0d7af4eb7a168bd626f57edcb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9a7684de-7b85-47d6-b1b0-a234200f1762/19292632677.pdf
    • https://uploads.strikinglycdn.com/files/4b86a180-1261-478e-bd4c-2d8393a63011/words_that_start_with_photosynthesis.pdf
    • https://69c5641f-197a-42c1-bef1-daa502c1f1d7.filesusr.com/ugd/948cea_847d36cc021e40c38d0579ad55056d8a.pdf?index=true
    • https://2e4d99de-9d37-4ce2-abd5-0bbccafdbe51.filesusr.com/ugd/33a2e4_5f972b7b68ca4d3098b653079e7d1008.pdf?index=true
    • https://15319a82-8c66-4906-b3c2-464277991f2b.filesusr.com/ugd/070acf_b99b80c17b6c4d1b8f6157a07b5003e9.pdf?index=true
    • https://a943cdc4-551e-4fd6-8842-bb1c82e441e2.filesusr.com/ugd/a0303e_b451a032682241b38fdf67788bb2fdbb.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed2d.bin
c9f420d4f0929bd373aca8cccd144ebbc25894394227f45ef653ffa48498c9de		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED2D 5800 bytes
font_01_sfnt_off000100ce.bin
71f98e122bc597ce869273d7c55f1d7189bfdce883492f15adfd513a99aa571f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100CE 10860 bytes
font_02_sfnt_off00012658.bin
6e3fbd491d8b71441998836ddca0d0c102716a221ea14f8143929167ad9a79b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12658 16164 bytes
font_03_sfnt_off00013ba9.bin
42348c77c92b82e24d132699ee3a7164f1ad0115dbc2d05efe0e09491e5de5ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13BA9 7768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.