Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d869c5874d8fc74…

MALICIOUS

PDF

84.7 KB Created: 2021-04-01 21:42:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b368e8332862cccb2815993806d97bca SHA-1: 5e3266d9b4a7f4167b82b620d06df850cb7a0b7e SHA-256: 5d869c5874d8fc7438f35a88d0f565cada9d03356cacc1da0e78969a0ba252f9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating it likely serves as a phishing or malicious link distribution vector. The heuristic 'PDF_SEO_LINK_FARM' suggests the document contains a large number of external links, likely to manipulate search engine results or direct users to malicious sites. While no scripts were explicitly extracted, the presence of embedded URLs and the overall structure point towards an attempt to redirect users, potentially for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=geometry+chapter+8+practice+test+answer+key
    • https://static.s123-cdn-static.com/uploads/4495975/normal_5ffc66e4966ee.pdf
    • https://cdn-cms.f-static.net/uploads/4423471/normal_6063f8285c205.pdf
    • https://xefakiradu.weebly.com/uploads/1/3/1/8/131856624/wezizob.pdf
    • https://sepiximefajo.weebly.com/uploads/1/3/4/8/134849953/2681cf9f2bf.pdf
    • http://game-pro.xyz/sat_books_to_studyi5kc9.pdf
    • https://dapadode.weebly.com/uploads/1/3/4/6/134646205/8375920.pdf
    • https://tusejefil.weebly.com/uploads/1/3/4/3/134320171/wodejiwodebonideboj.pdf
    • https://cdn.sqhk.co/wumigapinido/icyF7CZ/birthday_party_cake_decoration_ideas.pdf
    • https://kiwakobomu.weebly.com/uploads/1/3/1/4/131482833/verajopedekijeg.pdf
    • https://sozuxope.weebly.com/uploads/1/3/4/8/134873608/a7aa8eb0.pdf
    • https://cdn.sqhk.co/zekuxemelop/beFjfSK/32292910317.pdf
    • http://pubgucbayim.com/schwinn_ad6_airdyne_exercise_bike_partsacada.pdf
    • https://cdn.sqhk.co/tamenotu/T8gdjdX/sesinuzavimenuvavuw.pdf
    • http://testvvd.xyz/57857456495i0d38.pdf
    • https://gewipilozu.weebly.com/uploads/1/3/0/7/130775211/4912980.pdf
    • http://mgacessoria.online/88512355212ddizn.pdf
    • https://sajulivos.weebly.com/uploads/1/3/1/1/131164476/xoxemukuseduru.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/db36a743-e1e6-4c1e-80f9-938529c9ae4a/ultimate_diet_2.0_reddit.pdf
    • https://uploads.strikinglycdn.com/files/b45fd29d-f9b4-425e-ad3b-ec1f2ba5d937/how_much_is_the_salary_of_ultrasound_technician.pdf
    • https://uploads.strikinglycdn.com/files/094a2beb-03ea-4b4a-bbb5-d4615784adc0/zawenavazo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f488.bin
21637f833a7f23f0a927742d2b879f156f280d091eb87c0e7dc1a5959845bb8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF488 5624 bytes
font_01_sfnt_off0001079a.bin
9814da9d38fba2602c5ca3aacd4c273daccb4ad5d9b12945cc746123caa28e64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1079A 11444 bytes
font_02_sfnt_off00012e64.bin
ab6a2d92c6195441154fe03e3add47570783810922a3b82dfc3833ffb97f5f96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E64 16072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.