Malicious PDF — malware analysis report

Static analysis result for SHA-256 5024dae2172b879e…

MALICIOUS

PDF

74.8 KB Created: 2021-06-05 07:13:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cb91add5a35c2566b76ac1f144fa8fbc SHA-1: 370ab52d30ccbaec5135617e6d06903713443593 SHA-256: 5024dae2172b879e9bd699bceadca63fc1d5d58315c802ec64379f224ef1a2f1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical finding for a PDF link farm containing 30 external links. The ML classifier and ClamAV also identified it as malicious. The document's purpose appears to be directing users to a large number of external URLs, likely for SEO manipulation or to host further malicious content. No scripts were extracted, but the presence of numerous external links suggests an attempt to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/pbw?utm_term=borderlands+2+bore+skill
    • https://waperimawomexav.weebly.com/uploads/1/3/4/7/134733778/bifomumikog_xigenunuto_zegosuxelobuzi_denaloso.pdf
    • https://static.s123-cdn-static.com/uploads/4456399/normal_5ffac4f296662.pdf
    • https://rulodewarozuw.weebly.com/uploads/1/3/4/6/134678260/zolafejaz-virek-gurogulud.pdf
    • https://sobuxiba.weebly.com/uploads/1/3/4/8/134867950/mabufegis.pdf
    • https://cdn-cms.f-static.net/uploads/4484805/normal_6051702f66980.pdf
    • https://wojagezut.weebly.com/uploads/1/3/0/7/130775605/4595450.pdf
    • https://gajerekore.weebly.com/uploads/1/3/5/3/135327587/matafalofig.pdf
    • https://woxavadegiw.weebly.com/uploads/1/3/4/9/134902916/3985249.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sonubugu.pbworks.com/w/file/fetch/144547497/how_to_reduce_file_size_from_mb_to_kb_online.pdf
    • http://negaboxa.pbworks.com/w/file/fetch/144601530/what_does_v.c._stand_for_when_signing.pdf
    • https://uploads.strikinglycdn.com/files/e2f51757-e364-4494-a36f-7f20bb6ee1a9/26717064958.pdf
    • https://uploads.strikinglycdn.com/files/65e62701-c187-4475-89f9-d7865a02e5f3/how_bitcoin_works_in_nigeria.pdf
    • http://kuperuxowix.pbworks.com/f/what_are_the_ethical_responsibilities_of_a_teacher.pdf
    • https://uploads.strikinglycdn.com/files/d39751e2-4db6-4d54-b208-ec37ab8d8b7e/rojometovowonute.pdf
    • https://uploads.strikinglycdn.com/files/982e0248-770c-4e98-9edf-91f46705eb5f/sears_kenmore_water_softener_repair_service.pdf
    • http://wigiwopajuke.pbworks.com/f/22789998585.pdf
    • https://uploads.strikinglycdn.com/files/03141f2e-7a59-4ad4-a265-4f857ce10910/pioneer_avh-x4700bs_manual.pdf
    • https://uploads.strikinglycdn.com/files/606bf0ed-bfd9-4582-91dc-97d8163ca573/xokal.pdf
    • http://zewalar.pbworks.com/f/winzo_gold_hacked_version_apk.pdf
    • https://uploads.strikinglycdn.com/files/facae051-6ac1-48a2-ae5c-6d8371d683b4/ninezaxoragewonusafef.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9c5.bin
47e22b0f9dee92b51374f5585eb18427c6234dfe6752256e29bb12c90696c5c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9C5 5204 bytes
font_01_sfnt_off0000fb86.bin
f9902ebee535e99bfa4199aab0dd50737bc6e3ce7e93e9358adaaa47ae5e7ff9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB86 10196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.