Malicious PDF — malware analysis report

Static analysis result for SHA-256 5798acf12a4af35a…

MALICIOUS

PDF

73.6 KB Created: 2020-12-26 05:44:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f8414425da70655f98670d34072fdb34 SHA-1: e9a36d8df893d3798bc3f3a77ce96145226d8af5 SHA-256: 5798acf12a4af35acf6103643fba1d8298afb6a41c1e28a2c540e48a739d9db2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic identifying it as a link farm designed to distribute SEO-optimized PDFs. The presence of a malicious ML classification and ClamAV detection, along with the embedded URL pointing to a suspicious domain, strongly suggests malicious intent. While no scripts were directly extracted, the PDF structure and link farm behavior indicate it's likely used to redirect users to malicious sites for phishing or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=occupational+health+and+safety+act+2020
    • https://tubenuluni.weebly.com/uploads/1/3/1/4/131437864/tuluzeli.pdf
    • https://cdn.sqhk.co/xumobopore/hiejjbp/horizon_blue_cross_blue_shield_member_services.pdf
    • https://cdn-cms.f-static.net/uploads/4415080/normal_5fa6fd05c410a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/patotale/free_powerpoint_templates_blueprint_background.pdf
    • https://s3.amazonaws.com/tibanepoxilibud/12945642686.pdf
    • https://uploads.strikinglycdn.com/files/606b3da7-07ee-4849-811b-0e3a9fb7fe24/nokevirina.pdf
    • https://s3.amazonaws.com/loneminovu/android_player_graphic_equalizer.pdf
    • https://uploads.strikinglycdn.com/files/f72bafd6-67a3-4ceb-afe1-ea5fee61654e/52521818803.pdf
    • https://s3.amazonaws.com/xefezesebusu/adventure_quest_warrior_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e13b.bin
75153c3152ba075f3071d88b286ebbfeeb5a3baaad052080986d5d2042fdcc4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE13B 5548 bytes
font_01_sfnt_off0000f41c.bin
88c78f0f20c93eaa6d835499c72887367a144f9af15fb7a572e9cf1fab416acf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF41C 11296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.