Malicious PDF — malware analysis report

Static analysis result for SHA-256 54593a8db02f82c9…

MALICIOUS

PDF

86.5 KB Created: 2021-04-02 01:53:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d18361f65563156ba00bc69a379fa64d SHA-1: d3e0601774d630ed4d214389a4daaeecf80a0208 SHA-256: 54593a8db02f82c982057d4904b9dbae152708f4c8d4ed1b193330c4fae022eb
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or redirection scheme. The presence of a URL referencing 'advanced systemcare 12. 5 crack' in the document body further supports a lure-based attack pattern, likely aimed at tricking users into visiting malicious sites for fake software or other deceptive content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=advanced+systemcare+12.+5+crack
    • https://static.s123-cdn-static.com/uploads/4416149/normal_5ffc4ed259ca6.pdf
    • https://nabidojanafo.weebly.com/uploads/1/3/4/4/134455463/9697190.pdf
    • https://static.s123-cdn-static.com/uploads/4478125/normal_5ff164136bb1e.pdf
    • https://wuxinaruniluxod.weebly.com/uploads/1/3/4/8/134882591/lajefaguju.pdf
    • https://zeruxexo.weebly.com/uploads/1/3/4/3/134373455/7756092.pdf
    • https://paxuweveli.weebly.com/uploads/1/3/5/3/135320709/ba9446206b05d1.pdf
    • https://zurukuwimuso.weebly.com/uploads/1/3/4/3/134325804/4c47c.pdf
    • http://carinsusa.info/spectrum_math_workbook_grade_8_free92cvz.pdf
    • https://watorixaziju.weebly.com/uploads/1/3/4/5/134586039/7642479.pdf
    • http://bitcoinlearningcentre.online/dowipasf9z.pdf
    • https://cdn-cms.f-static.net/uploads/4453909/normal_604e652b6d4ca.pdf
    • http://fuckfrsky.com/un_tranva_llamado_deseo_pelicula_completa_subtitulada_en_espaol8ubos.pdf
    • http://uspeh.icu/zasokikena0m1u8.pdf
    • http://sale50.pro/how_to_setup_netgear_wnr1000_as_a_repeater9wj6p.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://s3.amazonaws.com/fotepopunaj/new_movies_telugu_wap.pdf
    • https://78905da9-dd21-4190-abaa-c894c042e703.filesusr.com/ugd/851c7c_e614a41c071d42ddadf25f3de9cab57a.pdf?index=true
    • https://14319df0-7947-4f0d-bbb3-eaa17d5eb23e.filesusr.com/ugd/c45f38_c5553232712f4d9daba1fba5d5d03309.pdf?index=true
    • https://s3.amazonaws.com/liluvad/answer_for_heaven_season_2.pdf
    • https://2a6c20f5-091f-48b5-a5be-bf749919b1f6.filesusr.com/ugd/3794ad_09836e371de248ec9e21ff85dc001004.pdf?index=true
    • https://329f26c8-0235-4118-8622-173d264d9cf1.filesusr.com/ugd/221f3a_f753f03f0b06440d8520267a3ca6b2cb.pdf?index=true
    • https://s3.amazonaws.com/gogoxowiniza/kewejezebukuroze.pdf
    • https://696f1bd8-06c3-47a7-a8f7-e83e17ec8d18.filesusr.com/ugd/5ad03d_c2aedc54d89e4f869c9d37ca76157050.pdf?index=true
    • https://s3.amazonaws.com/bomupi/play_opera_madama_butterfly_2019.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe49.bin
6fc657f4b43e6df276212101c53818b4875cdc92a89cd77b84c2d8c79269abe6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE49 5608 bytes
font_01_sfnt_off00011165.bin
329bd9a9f4620c4b8ea50d4ef513403604acb8f4da073bb8e8730d0dcc7d6d35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11165 2524 bytes
font_02_sfnt_off00011cc8.bin
11b25debf9035c595503ee389543c96ddd9e6d25cdb8311dd49e9b6fd9093365		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CC8 16028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.