Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fc4551dbb423703…

MALICIOUS

PDF

94.6 KB Created: 2021-03-14 11:49:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74dde8dde3a12c5897de5541f5ce40d6 SHA-1: e5cd59f51eee105fac9abcddba0880687afe3a6a SHA-256: 4fc4551dbb423703c04f62e952c1ce630f7d6b47a52734e05e6fab9886fcc815
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, identified as a link farm, with the primary lure being a "Stellar evolution worksheet". The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. While no scripts were directly extracted, the PDF structure and extensive URL list suggest it's designed to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=stellar+evolution+worksheet
    • http://okrasote.info/questions_to_ask_while_job_shadowing_a_nursedxuou.pdf
    • http://gooddevice-online.com/honda_rebel_300_price_malaysiag14xe.pdf
    • http://taforojujutusig.mygamesonline.org/60312419906.pdf
    • https://kaxagigunuji.weebly.com/uploads/1/3/1/3/131383746/bujuzik.pdf
    • http://uchebnoe.website/52321784382qx1uh.pdf
    • https://cdn.sqhk.co/vixukose/hfT9vjg/police_cop_simulator_gang_war_missions.pdf
    • http://minesaxofunawi.getenjoyment.net/5th_grade_common_core_math_volume_worksheets.pdf
    • http://pewodebepefawi.scienceontheweb.net/netgear_n300_c3000_manual.pdf
    • http://fejiximodanu.mygamesonline.org/77053279789.pdf
    • https://cdn.sqhk.co/zupodejadofe/fibjdUQ/defender_110_price_new.pdf
    • https://cdn.sqhk.co/zugeketinog/djjjg5y/rikujez.pdf
    • https://kufobuzu.weebly.com/uploads/1/3/5/3/135330794/5336987.pdf
    • http://lifeit.pro/safejevirodini5g2qo.pdf
    • https://cdn.sqhk.co/jisokemefaz/nRjESic/wezanejopokozilir.pdf
    • https://cdn.sqhk.co/gunobawiwax/EWHibge/ice_candy_mania_fair_food_maker_cooking_games.pdf
    • http://shtancircul.site/3129405710isqne.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/f0abc1c4-8189-4483-b1df-6d0e7610570c/63384874339.pdf
    • https://uploads.strikinglycdn.com/files/67a5e3f5-7d88-4772-9124-8b161fb14467/wotojivanesomuw.pdf
    • https://uploads.strikinglycdn.com/files/7f1fc82c-9b2d-45f8-93b8-39941432ec4c/38714211654.pdf
    • https://uploads.strikinglycdn.com/files/3122bba8-65af-4e39-934d-3ab97873513a/80856014998.pdf
    • https://uploads.strikinglycdn.com/files/237a6001-d6d9-4c46-b213-09b1eaba95c6/plantronics_c054_not_working.pdf
    • https://uploads.strikinglycdn.com/files/31418042-4c41-4a95-b039-bf83dfe792fd/goridasi.pdf
    • http://jisunopesaluzi.atwebpages.com/83115059987.pdf
    • https://uploads.strikinglycdn.com/files/e7a4c381-1925-455d-a24a-ffe1a7ec6e2d/sumomoxuwoditesiregivarik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011705.bin
2ce5a7286efefc5aae27ce1c31b3347e159d00bd30cf97f509a0b7f7d49caffb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11705 6440 bytes
font_01_sfnt_off000126fa.bin
ed49e4e4fb4d50aabb803442a9d86a59fa100b0ad4febca80cdc141d9675b05d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126FA 4972 bytes
font_02_sfnt_off000137e0.bin
e2c74ee637266d0b5ae68c73c3e9ae41afb2d018d5c1e634c43c01bfe6efda7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137E0 11168 bytes
font_03_sfnt_off00015df8.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15DF8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.