Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fc4334885cca57d…

MALICIOUS

PDF

98.1 KB Created: 2021-03-29 01:51:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e060b2ed82d010ecdeeb0500f264a412 SHA-1: 32f0f7015f25d19c7e573c621fd6332b5bb0ebe9 SHA-256: 4fc4334885cca57d22bf5b8dfebfbf0c8ee75c800eca5ea1d8c5764cf7726aec
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to other PDFs, suggesting a link farm or redirection mechanism. The embedded URLs likely lead to phishing content or further malware delivery, aligning with the Spearphishing Attachment technique.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=logotipo+del+sena+significado
    • https://cdn.sqhk.co/nusideja/h5iisgd/67692052232.pdf
    • https://static.s123-cdn-static.com/uploads/4417534/normal_6003434bbd784.pdf
    • https://cdn-cms.f-static.net/uploads/4456387/normal_603ab50e16fc0.pdf
    • https://cdn-cms.f-static.net/uploads/4456728/normal_60533222e0c0d.pdf
    • https://zalirojojates.weebly.com/uploads/1/3/4/6/134606979/9638572.pdf
    • https://static.s123-cdn-static.com/uploads/4459463/normal_5ffbc6c05132c.pdf
    • https://cdn.sqhk.co/labifikup/jdjbhub/82942493248.pdf
    • https://zurirepazigotot.weebly.com/uploads/1/3/0/9/130969164/podunirunirux-nubirofip-vapowi.pdf
    • https://cdn-cms.f-static.net/uploads/4456135/normal_60515e31228e3.pdf
    • https://cdn.sqhk.co/tanemurad/ghghjbA/retabuviramakaro.pdf
    • https://cdn.sqhk.co/goberirud/ieghigt/zepeto_app_for_pc.pdf
    • https://static.s123-cdn-static.com/uploads/4485699/normal_5fdfb9a6b9885.pdf
    • https://cdn-cms.f-static.net/uploads/4403531/normal_603cca518c987.pdf
    • https://cdn-cms.f-static.net/uploads/4417049/normal_601a38132dca6.pdf
    • https://cdn.sqhk.co/ligumorik/3gdheN4/ziwikaf.pdf
    • https://fowuwulavo.weebly.com/uploads/1/3/4/7/134754099/bezotenesidugi.pdf
    • https://static.s123-cdn-static.com/uploads/4454677/normal_5ffb8977b753b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://aece7fbc-7072-4055-9cfa-29e0da41b620.filesusr.com/ugd/e878fd_7fd5e33eaf96404288f12d9563b7a41b.pdf?index=true
    • https://4cf2acc4-d143-4013-a78d-f21de0873c4f.filesusr.com/ugd/e4636f_276bf98fd7b64055bd0623b9791f0705.pdf?index=true
    • https://f733e552-90a1-4d1f-83ca-a6b36afcf31c.filesusr.com/ugd/38bf1f_4739f7bb406c43b98d244b9556fc0c69.pdf?index=true
    • https://49550882-97ce-44db-a38b-6e383bb81149.filesusr.com/ugd/062c90_5a67c195b67743b38429e489b59ff9ae.pdf?index=true
    • https://cbf60184-924b-4e65-abc2-244eb733ec12.filesusr.com/ugd/9a25f9_5b10fe19b153499d91e485b390113f4a.pdf?index=true
    • https://e7f45dcf-1957-410e-85b1-216e85a225c4.filesusr.com/ugd/a2c2bc_618afbf72e7444a5b43cfedbb6aeab82.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013f0b.bin
e816c62716c2f39c13370f2690dcc1ebf217c3a70768cef1a20c95b3fc70ab1b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F0B 5168 bytes
font_01_sfnt_off000150c9.bin
9073824e41d07b945e8566cdac9dde0c0f648e4fc811ab7a27e5787048373936		 pdf-font-stream PDF embedded font (sfnt) at offset 0x150C9 12724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.