Malicious PDF — malware analysis report

Static analysis result for SHA-256 56d065499a674c93…

MALICIOUS

PDF

80.2 KB Created: 2021-04-26 23:29:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d460b623833cf80ef5454d333af2eb8d SHA-1: c05aa4757df50ea9c3770b49d5713cb20cc15e8d SHA-256: 56d065499a674c93f615e5ba951210d23fc98028363dffb31c617a2a4d05da1c
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was identified as malicious by ML classifiers and ClamAV, with critical heuristics indicating it functions as a link farm. It contains numerous external URIs pointing to disposable domains, suggesting a tactic to distribute or obscure malicious content. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the overall structure points to a malicious intent to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/strik?utm_term=kohler+20kw+generator+installation+cost
    • http://xivazokib.medianewsonline.com/katherine_johnson_biography.pdf
    • http://zefefiwova.medianewsonline.com/simile_worksheets_for_grade_3.pdf
    • http://xoxapepagaxon.mypressonline.com/muxara.pdf
    • https://mibuxinuk.weebly.com/uploads/1/3/4/7/134753888/patuguvuxu.pdf
    • http://bewujasixi.mywebcommunity.org/zonajigufese.pdf
    • https://zibinileder.weebly.com/uploads/1/3/4/7/134748255/doxagumoberasi.pdf
    • https://senidexug.weebly.com/uploads/1/3/0/7/130775540/519c243afa.pdf
    • http://dalidusiz.mywebcommunity.org/intermediate_algebra_and_functions_worksheets.pdf
    • https://jotutavujisab.weebly.com/uploads/1/3/1/1/131164129/22620f34ae.pdf
    • http://mazipuvaxa.mywebcommunity.org/79006420108.pdf
    • https://ruxunomitebapat.weebly.com/uploads/1/3/1/6/131606858/zedukalopotusur_tegago_gewuzoxokukof_zakufowojo.pdf
    • http://gejulavofanutar.mygamesonline.org/type_b_blood_diet_food_list.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_c8aade4c03b14f2ba7acba9b73305d3f.pdf?index=true
    • https://fff5164c-1337-4dca-a870-9ee8129e9d1f.filesusr.com/ugd/11cbe4_68f0533b48d743fc964cd3f5e17cedf4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1b1a2015-19f9-4083-8a18-6d19d38c0d87/gijagurojidoxowasoz.pdf
    • https://1d812fcc-cfc3-4558-a870-56fc5b7f4c2e.filesusr.com/ugd/754d94_e4271ac403dc4530baa842df52127bc9.pdf?index=true
    • http://belibivizonojo.myartsonline.com/online_editor_add_pages.pdf
    • https://a39ac558-8fe8-437d-9e10-dc9402d6cb9c.filesusr.com/ugd/1ebe14_fa5b03a6244f400e8936af069f85a175.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c9867810-c7bf-49c7-9e3f-35f27e270530/pevusewupogopotejuxasom.pdf
    • https://uploads.strikinglycdn.com/files/f22b4a83-223c-421f-9bd0-63bc1984ba8a/lax_max_speaker_manual.pdf
    • https://uploads.strikinglycdn.com/files/69b97dcb-5ef7-48c3-a861-4de32ae2248e/22722316773.pdf
    • https://0dd0cd87-80d3-4eb5-b9c6-73c43c3a6fca.filesusr.com/ugd/f0b6b3_7d5883fbad854b8cb63c55a8606b436c.pdf?index=true
    • http://xekazaz.myartsonline.com/bsr_2020_sri_lanka.pdf
    • https://uploads.strikinglycdn.com/files/cb96e923-2563-41cf-a357-03592330199e/the_supernatural_ways_of_royalty_book_review.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fbd5.bin
ddb87ecec7d11f59774a9725211e587cd1b201d686cc9bd8fbd969a79552397e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBD5 5460 bytes
font_01_sfnt_off00010e76.bin
15467e1ca9ff3a91fe6562784eb73ddfe5b3798a5699e57c6e29a6c3cf3c5064		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E76 10752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.