Malicious PDF — malware analysis report

Static analysis result for SHA-256 5104ce74ed9745fc…

MALICIOUS

PDF

81.2 KB Created: 2021-04-29 23:12:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d91e84c7d90a3c93b805c212596abf6 SHA-1: 2a53dcf008ccff4b126d0887aad4f98e6144a1ca SHA-256: 5104ce74ed9745fc51a8d8794a503b46840d825e64816f61bec0841e615cc828
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or phishing operation. The document body, though heavily obfuscated, appears to contain product-related keywords, potentially serving as a lure to disguise the malicious nature of the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=nikon+p-223+3-9x40+mate+bdc+600+cabelas
    • https://basuxujazako.weebly.com/uploads/1/3/4/4/134467371/4113643.pdf
    • http://plusstore.pro/problemas_economicos_de_mexico_jose_silvestre_mendezfricq.pdf
    • http://thedefenseforge.com/94902881655gnceu.pdf
    • http://the-english-temple.com/nibupiiipgs.pdf
    • https://fakodide.weebly.com/uploads/1/3/0/8/130874451/41c4f0977.pdf
    • http://nosinoski.shop/sofewumezagadelipijugs08g.pdf
    • https://nulazonale.weebly.com/uploads/1/3/4/8/134892754/vaduvib_pujom_wikanuti.pdf
    • http://phrensy.co/how_to_form_a_job_descriptionekjwq.pdf
    • https://sizelelam.weebly.com/uploads/1/3/4/8/134867910/beb0cdd6398.pdf
    • http://bakavorun.getenjoyment.net/the_adventure_zone_graphic_novel_free.pdf
    • https://kejuzeke.weebly.com/uploads/1/3/4/4/134456394/4543581.pdf
    • https://piriwunetu.weebly.com/uploads/1/3/1/3/131379541/ludereje_lobexaxoj_kakonebug_bigesir.pdf
    • http://fajufoturesu.sportsontheweb.net/amino_acid_and_protein_synthesis.pdf
    • https://nupepapuk.weebly.com/uploads/1/3/1/4/131484133/5680324.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6fc76513-a17a-4053-940d-bef108f5ea85.filesusr.com/ugd/3a5ef0_a1e902ded9e344cf8f3fbf5fdafb2484.pdf?index=true
    • http://palexibibiw.atwebpages.com/bridge_to_terabithia_book_online.pdf
    • https://uploads.strikinglycdn.com/files/14411979-f40a-4a11-be8a-067aab380691/download_thank_me_later_album_free_mp3.pdf
    • https://d872ce2a-2baf-4032-ab86-ab75b2f66d52.filesusr.com/ugd/338562_5d5ca2a5166f4916a82954f04f73061a.pdf?index=true
    • https://ce099f17-eb12-430b-a452-8d789b3ee5a8.filesusr.com/ugd/aef5b7_49bc0bc0e1d64c2981794e428448a962.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c5f40cf8-37f3-4d59-92b9-4c7baa056dd7/microsoft_flight_simulator_2020_release_xbox_one.pdf
    • https://3a7b682b-4b85-4b21-836a-a34929c8735b.filesusr.com/ugd/0cd3a8_11c4e3568fe24a07a6c9eeba8be8dfec.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc28.bin
85cd5ccaac57e30dc9b7f2f365d330ce4e549c5910ee3d46e3f41be4abccaf30		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC28 6232 bytes
font_01_sfnt_off00011155.bin
08d1bfe9305473d9bfa0c2bebd8fc351bf4ca0e46b7f4c3563950aed6e0c63aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11155 11136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.