Malicious PDF — malware analysis report

Static analysis result for SHA-256 58034a1725e16d0c…

MALICIOUS

PDF

87.5 KB Created: 2021-04-04 09:51:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a3a002266a5b70f8bbae2059f7b8f4b SHA-1: 729ea9001a086acbcbe2e86e890465307d4e0b27 SHA-256: 58034a1725e16d0c7cf80b8bfc9b429deee3f84c3ddd1c547fb0da94b3210d39
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, many of which point to other PDF files, suggesting a link farm or SEO poisoning tactic. While no scripts were explicitly extracted, the presence of embedded URLs and the overall structure strongly suggest an attempt to redirect users to potentially malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=ultra+guide+detergent+powder+lucknow
    • https://cdn.sqhk.co/mosepoxik/RggHjje/champion_league_final_2020_on_tv.pdf
    • http://dojufad.iblogger.org/math_minutes_6th_grade_worksheets.pdf
    • https://cdn.sqhk.co/dabizogi/WMMtojg/biodiversity_and_its_conservation_project.pdf
    • https://tumugisoluxadez.weebly.com/uploads/1/3/4/6/134601474/wevizokimirosor_finedopoduludof_kidedagi_niwotawudo.pdf
    • https://vasoderavir.weebly.com/uploads/1/3/4/7/134728489/diwosetuvob.pdf
    • https://nijasofefovo.weebly.com/uploads/1/3/4/7/134719995/9351929.pdf
    • http://kiwalapisetovu.iblogger.org/infinix_note_7_price_philippines_lazada.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://s3.amazonaws.com/jepinebawo/23698535158.pdf
    • http://votemajaw.epizy.com/plotting_linear_graphs_worksheet_tes.pdf
    • https://uploads.strikinglycdn.com/files/3b020245-58a2-48a9-8c8b-838659aa0e87/buvidiwijejevivodudijutog.pdf
    • https://uploads.strikinglycdn.com/files/7e396651-fe2d-41c1-a854-7d1c97727047/tulekexago.pdf
    • https://s3.amazonaws.com/mokuwanibof/ati_radeon_hd_4850_gaming_performance.pdf
    • https://s3.amazonaws.com/bomifabipi/uwaterloo_workday_guide.pdf
    • https://uploads.strikinglycdn.com/files/e992fd46-1f6e-40fc-93e3-f7bb1012e394/how_to_trade_options_on_vanguard_app.pdf
    • https://uploads.strikinglycdn.com/files/25e1822a-7319-4d46-b515-1309149f76b2/gesajaxugoxuvunirepo.pdf
    • https://uploads.strikinglycdn.com/files/7b5d09ef-fd77-4b9b-94dc-692d41df9016/one_of_us_is_lying_characters_names.pdf
    • https://s3.amazonaws.com/fejatepudopito/britannia_industries_annual_report_2017-_18.pdf
    • https://uploads.strikinglycdn.com/files/9f9e479e-fc3e-4070-bb96-4898dbdb51bf/31728586597.pdf
    • http://kisomelug.rf.gd/12003877690.pdf
    • https://uploads.strikinglycdn.com/files/88b0f671-7005-40ec-8eb4-aceec93b47f9/what_is_the_ultimate_measure_of_a_man.pdf
    • https://uploads.strikinglycdn.com/files/fee501ea-4125-407c-a01c-c882d12c9f5b/macbeth_act_3_scene_2_questions.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f69c.bin
2c699916dcde7b4e21e5f9aa7b85d74547ab478c292d54ceb874e7a061dcd42c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF69C 5208 bytes
font_01_sfnt_off00010878.bin
37560a5ef61d6e15944a4aff5bfa660366a1e484e2df1a84474779153be39917		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10878 10820 bytes
font_02_sfnt_off00012d12.bin
ebd2804bff382343e08f6a42dc45f69f4e794c08b23908ae60ba78ededae74b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D12 16164 bytes
font_03_sfnt_off00014266.bin
edcd0e28fc82933c8378b1e24566f49e6d523e160b780380340fe3a66b8885a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14266 3612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.