Malicious PDF — malware analysis report

Static analysis result for SHA-256 5568aa8bf520b558…

MALICIOUS

PDF

75.0 KB Created: 2021-03-29 13:52:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8964a3d3344970297cae51975ba245ae SHA-1: 22bd5301eec545567d622d850daf46670778b78b SHA-256: 5568aa8bf520b5586c20cda0cbceb435cf0a092bfc97ccec6acc2794c592664a
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains a large number of external links, many of which are SEO-optimized, suggesting a link farm or phishing attempt. The ClamAV detection and ML classifier strongly indicate maliciousness. The presence of embedded URLs and the heuristic 'PDF_SEO_LINK_FARM' point towards an attempt to trick users into visiting malicious sites or downloading further malware, likely through a spearphishing attachment vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=introduction+to+biotechnology+thieman+pdf+free+download
    • https://cdn.sqhk.co/sidamebo/xib0Aja/word_search_english_with_dictionary_game.pdf
    • https://static.s123-cdn-static.com/uploads/4385410/normal_5fd07182cf192.pdf
    • https://static.s123-cdn-static.com/uploads/4486984/normal_5ff12be32a075.pdf
    • https://cdn.sqhk.co/rubuxupab/Cieiibs/65051849963.pdf
    • https://cdn-cms.f-static.net/uploads/4411490/normal_604661975fc21.pdf
    • https://cdn.sqhk.co/dimowitop/jr22Bif/best_color_label_printer_2020.pdf
    • https://cdn.sqhk.co/xawobovuji/TQhhAia/82392484325.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2787b327-aecf-4ed4-8083-31b074c42fe2/how_to_install_directv_player.pdf
    • https://uploads.strikinglycdn.com/files/e59e0dcd-b649-4418-af48-bf1da12b9569/kagasaximumunanudi.pdf
    • https://8eccd3b7-fb20-4588-a5b5-4d8c58591879.filesusr.com/ugd/0e6328_5dfc1cba71bf4e169023f07f4176003d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/679e6694-4b91-454b-b6de-2fc33c039695/sotobezu.pdf
    • https://uploads.strikinglycdn.com/files/aac42ca1-ef4b-41d4-acc9-e1a47b25e19e/xoxozafulilovomumodam.pdf
    • https://uploads.strikinglycdn.com/files/dee61168-f514-41bb-90a6-377a005aca19/8582740361.pdf
    • https://abaaaae4-9231-44fc-b12c-ad55ebcc68e7.filesusr.com/ugd/2ca09c_f3803139054b46a182539b3149fbec61.pdf?index=true
    • https://6c8ebe11-725c-420b-823a-68bc39d02ad2.filesusr.com/ugd/3e87bf_791cf11d407d40b99cb42c77c8708c87.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4dde7163-6fd5-4566-81e8-b9dd34ceab8d/lifesmart_coronado_hot_tub_reviews.pdf
    • https://uploads.strikinglycdn.com/files/c250c694-6df9-4028-b17c-db80236a17a8/moon_river_trumpet_sheet_music.pdf
    • https://0e67983c-e844-40c9-b604-97311ec94efe.filesusr.com/ugd/6e13d9_77583bfb7077445fa611f52fa69efa91.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f3d90644-1f61-4036-b0fc-8e74bb67e2d4/using_multivariate_statistics_pearson_new_international_edition.pdf
    • https://uploads.strikinglycdn.com/files/49ea62ed-358e-4153-95df-67ef0db40c80/does_my_insurance_cover_genetic_testing_pregnancy.pdf
    • https://305aa2e3-e1d2-413d-aa2e-f1bb83d03ded.filesusr.com/ugd/92ee2b_3b895c7347914b34af245ef85b44ea4b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/edec6052-0518-471b-967f-2313d66d2633/accurate_harry_potter_house_quiz_quotev.pdf
    • https://uploads.strikinglycdn.com/files/1a01330b-2989-4793-b284-1cfd5fe3dec6/kirkland_signature_premium_hearing_aids_reviews.pdf
    • https://uploads.strikinglycdn.com/files/40e1cd1a-8532-4da0-ae33-e3c4840460c5/pomizuvorivifudakol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e56b.bin
d4da5d0e32917104e6a2c9e09591e324c533fe46fd9586942f6f926dbfe8acb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE56B 5660 bytes
font_01_sfnt_off0000f896.bin
ed17307516c0c830ce1e07140704451d937ab23b4a8f710dfb6c51d84111e087		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF896 11000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.