Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f8a4342a8f1f844…

MALICIOUS

PDF

76.0 KB Created: 2021-04-03 01:52:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 453c63bd278e115e9fa19bee05251c0a SHA-1: d633c634865e5d7c2cd1b7d3e77e88f2212ea4b8 SHA-256: 4f8a4342a8f1f844af43b913499df149f6d95cc8fd1e9959a47fc294fefda117
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a mass of external links, suggesting it is part of a link farm designed to redirect users to potentially harmful websites. The document body, though heavily obfuscated, contains references to 'acoustic guitar tuner' and 'wkhtmltopdf', indicating a lure to disguise the malicious nature of the links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=acoustic+guitar+tuner
    • https://cdn-cms.f-static.net/uploads/4424029/normal_6023ff04184fc.pdf
    • https://cdn-cms.f-static.net/uploads/4409246/normal_603c8048a077a.pdf
    • https://nojamatisi.weebly.com/uploads/1/3/1/3/131384142/romofuferev_fonulirobuxo_sixajuvogiro.pdf
    • https://cdn-cms.f-static.net/uploads/4454286/normal_601de6ad53ed8.pdf
    • https://cdn-cms.f-static.net/uploads/4450430/normal_603e22b392c55.pdf
    • https://gejilesiwurulu.weebly.com/uploads/1/3/4/3/134374779/55d2a04f1140.pdf
    • https://static.s123-cdn-static.com/uploads/4414866/normal_5fe1f6e6287eb.pdf
    • https://mosazipabefo.weebly.com/uploads/1/3/4/7/134735261/3936356.pdf
    • https://cdn.sqhk.co/rufebumu/idDjgj2/81729804183.pdf
    • https://cdn-cms.f-static.net/uploads/4461497/normal_603294ab52403.pdf
    • https://cdn.sqhk.co/piredonina/jduaBmV/vadodedudosemalur.pdf
    • https://cdn-cms.f-static.net/uploads/4417653/normal_604ee6914cedb.pdf
    • https://cdn.sqhk.co/ditetona/eib5hdQ/burgundy_formal_dress_accessories.pdf
    • https://napokepuwaju.weebly.com/uploads/1/3/1/1/131164128/zunulopubiz-namiwo.pdf
    • https://cdn-cms.f-static.net/uploads/4490264/normal_600d434f2b815.pdf
    • https://cdn-cms.f-static.net/uploads/4450240/normal_60387d547cc4e.pdf
    • https://cdn.sqhk.co/vitozogog/8jjXugc/counter_terrorism_jobs_near_me.pdf
    • https://static.s123-cdn-static.com/uploads/4407066/normal_5fefcefa06708.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cccd2283-d272-450a-840b-6541230ebad2.filesusr.com/ugd/5de1df_31db412200aa4f46aa8a057533cc6951.pdf?index=true
    • https://ced6af22-cf5f-4df0-9cd6-2d424634d287.filesusr.com/ugd/3eed2b_75df1a600d0342caa9e90cb0aa3403c0.pdf?index=true
    • https://183df7f2-4185-4ca0-bfcc-33b39bc842f1.filesusr.com/ugd/9ac34a_b5062194c4a342ed923a63dc3652ce40.pdf?index=true
    • https://49432a94-54bc-4d13-9d12-ea41d731e1b8.filesusr.com/ugd/a7c689_4384e4392a084541b817b83e3c775f51.pdf?index=true
    • https://cd9ed9ec-87d1-42be-9198-0b2de6c1db4d.filesusr.com/ugd/158fb9_81c65c3bc27b4448acad617ec793c37a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd9e.bin
6459b75608a17375d65bc47d6e0d5b671ba46097e617a0bd8814e8a71e5bc498		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD9E 4924 bytes
font_01_sfnt_off0000ee65.bin
0a3062cd6ba230f56c133a98f198dcf096f701c94182491f7ed6019546347309		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE65 3976 bytes
font_02_sfnt_off0000fddf.bin
3eeff398dba1a00b16157e3853de312bf4bb7ce620d1611a31651ace54487870		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDDF 10196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.