Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d24bc36c3242de4…

MALICIOUS

PDF

79.5 KB Created: 2021-03-30 09:17:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 250db36ebd98a450a4e040f0f144e099 SHA-1: 29ad1d78ae636f9ce21adfe6e4f56c846d9d9aea SHA-256: 5d24bc36c3242de467548d72134563c3510d7ffe98743541bf40dd9c2b7dac9b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by multiple heuristics, including a critical ClamAV detection and an ML classifier. It contains a large number of external links, characteristic of a link farm designed to manipulate search engine rankings or direct users to malicious sites. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic strongly suggest an attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=tube+digestif+cours+pdf
    • http://interbankdigital.com/howl_allen_ginsberg_full_movie2bxt4.pdf
    • http://themarkuzmusic.com/wawisiwevukujanipebamkjbyf.pdf
    • https://cdn.sqhk.co/rekutadis/WQhbjhj/dusttale_sans_theme_roblox.pdf
    • http://classicalnaturally.com/26202062212thy52.pdf
    • https://cdn.sqhk.co/wuzirixowev/nYPmFBh/gituzofesulega.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4bac9193-436d-44e1-a082-c62a6faad334/mogesigus.pdf
    • http://suboxasolu.rf.gd/apoorva_kannada_full_movie_free.pdf
    • https://9dc8676a-0e58-44ee-a512-e339c7094702.filesusr.com/ugd/7c0652_bc37b15470c3470fa7b53827c47b1278.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2d16908b-14db-4108-915a-75ad94558428/koravukuxepezotidarorugi.pdf
    • https://uploads.strikinglycdn.com/files/3d5d267b-cbf4-4a6d-9dde-4dfc1d8d3dcb/landscape_photography_coffee_table_books.pdf
    • https://4993f9ff-345c-4c03-a8ec-d4f8dac664d6.filesusr.com/ugd/debbe1_7074d04ad7834b84964e053b8465b92a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3a77fe9b-da77-4e86-a54b-081229d86f24/3552593503.pdf
    • https://ce099f17-eb12-430b-a452-8d789b3ee5a8.filesusr.com/ugd/aef5b7_ca3181ffa29640fbb4899adccdb84334.pdf?index=true
    • https://cc968bdf-8a18-4a65-a72d-893c706ef441.filesusr.com/ugd/bae363_37e181a39a3a422abb96acda0115dd7d.pdf?index=true
    • http://dufovufozotetan.epizy.com/sql_fundamentals_certification_free.pdf
    • https://uploads.strikinglycdn.com/files/2221e6b1-7dd9-4259-a23a-7edabf6c7fd4/46634857121.pdf
    • https://uploads.strikinglycdn.com/files/a30e0927-f933-4d2c-bac4-1e31f375cdbe/21709375405.pdf
    • https://uploads.strikinglycdn.com/files/bc4aa3a7-3894-4c0e-a14d-43088d9a0f9b/ruluxokasixolo.pdf
    • https://7f03322d-63d6-449b-a8c2-a80beffeb2b6.filesusr.com/ugd/2994dd_84fc7f291eaa416ca11a3d891a459e05.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0276df4e-5984-4ef4-aec1-f21802f59945/3824978468.pdf
    • https://uploads.strikinglycdn.com/files/5c7f50f2-a414-4ca4-99a5-c79fa0f8b63e/fikafusenepibezanesefafu.pdf
    • http://sabesadunapas.epizy.com/how_do_you_take_blood_pressure_with_a_wrist_cuff.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6a6.bin
fa13dfb15a65bd6b4e8a0b4646aaa9062ebbe4d56156ecaaec5327d826d2e98f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6A6 5172 bytes
font_01_sfnt_off00010852.bin
628d59d4390b05d55d66f1e053472ec5a8d95dc3b6106758d17a64a500689ad5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10852 12096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.