Malicious PDF — malware analysis report

Static analysis result for SHA-256 59d7513a38d0bb64…

MALICIOUS

PDF

80.1 KB Created: 2021-06-12 12:35:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 539331e0bcd231d1169052f255166755 SHA-1: 6861a578e4933cd6cf2086b4d516c69d1fb72b78 SHA-256: 59d7513a38d0bb64aa06e27dd4692d4892178d68db48a0c52c200aca1073cb25
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains numerous external links, a technique often used in SEO link farms to drive traffic to malicious or scam websites. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or a trojan delivery mechanism. The embedded URLs and the document's structure suggest it's designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/pbw?utm_term=make+a+discord+pfp PDF link annotation
    • https://sikevitexin.weebly.com/uploads/1/3/5/3/135301450/wezukix.pdfIn PDF document text
    • https://tupunatuluzike.weebly.com/uploads/1/3/1/3/131383671/3156166.pdfIn PDF document text
    • https://lepivigodegobuz.weebly.com/uploads/1/3/7/5/137505729/gorizagubiwawilafupi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/80ce3f8e-b0eb-4654-ad3d-cef9b806ec04/how_to_troubleshoot_kitchenaid_ice_maker.pdfIn PDF document text
    • http://kikipudojuzo.pbworks.com/f/jadedotezuxozev.pdfIn PDF document text
    • http://zogekinovag.pbworks.com/f/vegopusupikadewalediwogiz.pdfIn PDF document text
    • http://kufujibumufa.pbworks.com/f/kolebevifob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a208ded8-4881-479c-8c94-8316eaa32959/46607502411.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7b86eb9a-1f26-4549-9a22-a5fadc942cc4/17197925477.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3942fe3d-364d-4a0c-b7b7-689fd5e7e7c8/how_to_prepare_ammonium_acetate_buffer_ph_7.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4de58e6b-eac8-4a33-9758-278029eb4828/jisab.pdfIn PDF document text
    • http://jesababa.pbworks.com/w/file/fetch/144425529/account_of_non_trading_concern.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/872b95df-8cea-45ea-b180-7fe016b509a4/62671167399.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/463bcf72-dbe9-4825-8557-8532ed68e7d0/xolojusapekojek.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a5da933f-daed-4583-a23b-cc060da0e5cf/first_alert_model_p1210_turn_off.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/175b2773-e5b1-4190-b3a2-e7913f90b12c/how_to_reply_email_for_unsuccessful_job_application.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF8F2 5188 bytes
SHA-256: 7e99106035579eb9970a3fbafd8be58b9d15d19b21f2db5e1e8d38ceb9720e3b
font_01_sfnt_off00010ab8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10AB8 11532 bytes
SHA-256: 7608fbac969a40f10c8dd0b8c149e639fb4b4141af26b7e555eeeb0b6b3e9847

Open this report in the interactive analyzer, or submit your own file for analysis.