Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f523a07ecacf06f…

MALICIOUS

PDF

80.0 KB Created: 2021-04-24 20:22:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd224c63a348bf51279776d130c2667a SHA-1: d612e564c6b27874c6d972f5b45f253a17afe25b SHA-256: 4f523a07ecacf06f573f155a5c685e5b7e0fe70f6cec991747e7743fd80bac98
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to SEO-optimized PDF documents, indicating a link farm or SEO manipulation tactic. The ML classifier and ClamAV both flagged this PDF as malicious, with ClamAV identifying it as a phishing trojan. The embedded URLs suggest an attempt to redirect users to potentially malicious or deceptive content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=what+to+do+when+astro+a20+wont+turn+on
    • http://keysecret.ru/49064728425gcs7z.pdf
    • https://static.s123-cdn-static.com/uploads/4467287/normal_5ff4c3ad6e4bb.pdf
    • http://temppicture.xyz/dell_inspiron_n7110_batteryxv58v.pdf
    • http://amsidgi.xyz/guvijirgvr73.pdf
    • https://static.s123-cdn-static.com/uploads/4427544/normal_5ff674fc73c6e.pdf
    • https://cdn-cms.f-static.net/uploads/4451229/normal_603e97345db53.pdf
    • http://legiontry.online/spell_of_the_sensuous_quotesk242d.pdf
    • http://getsol.xyz/hoover_spinscrub_50_directions_for_use8djbw.pdf
    • https://static.s123-cdn-static.com/uploads/4454170/normal_5ff31cfc16fd3.pdf
    • https://cdn-cms.f-static.net/uploads/4372972/normal_60194e21062d0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f486e5da-dbe5-430b-ba2c-e5e77b8ed99c/gepofafimolomedutanebo.pdf
    • https://0fecb50d-c8db-4b5c-a67e-01a13b1c0e9a.filesusr.com/ugd/da7c2d_08b66f93750b482f897f1608b6e04d01.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8af14c70-7708-4ab8-a29c-7caa3e2f2b79/59055619425.pdf
    • https://c809e8a6-5bdf-489d-8d8c-df4e4638a115.filesusr.com/ugd/45a296_43a3183bae01431bb8ebbf82d6f2bfd9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0b2cddf9-6bf0-405a-914d-dd8f83b96a3a/brene_brown_podcast_the_body_is_not_an_apology.pdf
    • https://uploads.strikinglycdn.com/files/dfdd5097-3767-4026-ba13-bc9464a59d10/tumokoruxozenewixulebu.pdf
    • https://uploads.strikinglycdn.com/files/0f4a272c-0b1e-4ffa-a39e-2b5be6095122/gosamupofivotuxifaxareb.pdf
    • https://09235f31-469a-4613-94fc-36d04c1f642a.filesusr.com/ugd/8b6407_6602bf0fe7ac4792b74d277b6074561d.pdf?index=true
    • https://s3.amazonaws.com/xuxifuzituwu/cs221_cheat_sheet.pdf
    • https://s3.amazonaws.com/kegovev/cant_get_pilot_lit_on_gas_fireplace.pdf
    • https://s3.amazonaws.com/muxozuvalubi/kuwedofu.pdf
    • https://5fb42ee6-a9be-400a-98f2-f9d4b9f720c8.filesusr.com/ugd/1813b3_1d0896eb1310483198a5bd0a59477f4e.pdf?index=true
    • https://s3.amazonaws.com/wewiro/8534688262.pdf
    • https://s3.amazonaws.com/desenaz/old_model_vidmate_apk.pdf
    • https://uploads.strikinglycdn.com/files/3e6a066c-aa40-422c-b0c7-f0019c49119e/2004_g35_manual_transmission_fluid.pdf
    • https://uploads.strikinglycdn.com/files/488fcd84-58c3-414b-9ed5-ee8f8e5eeb17/tezotanajupolig.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb14.bin
18308bd841fdecefedac69988b574afec665fc7302c5affe8c400975a2eb753a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB14 5260 bytes
font_01_sfnt_off00010d04.bin
d6fa165fe313d2ed693ebcb4ce88ef3c9a94d5b8e92dfc4d001673452155ad46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D04 10900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.