Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f6f988576e0d8e6…

MALICIOUS

PDF

79.9 KB Created: 2021-05-30 03:44:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: a198ee654be105fd970135bcdccec3b1 SHA-1: cc06d410ceee59e1e02d19f3a49babd75bd31c75 SHA-256: 5f6f988576e0d8e66b1075cf3af5dbaf589ce547cf748dcfedd02b69f573c7c9
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and an ML classifier as malicious, specifically as a phishing or link farm document. It contains a large number of external links, many pointing to disposable hosting, and one suspicious URL that appears to be a redirector. While no scripts were explicitly extracted, the PDF structure and link farm behavior suggest an attempt to direct users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=how+to+know+genital+warts PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4380857/normal_6030a4bad4ea5.pdfIn PDF document text
    • https://sodejokare.weebly.com/uploads/1/3/4/3/134349501/sevebuxawuxab.pdfIn PDF document text
    • https://sonalopuxarore.weebly.com/uploads/1/3/4/3/134310538/0adee623d21c0.pdfIn PDF document text
    • https://pafufido.weebly.com/uploads/1/3/1/4/131407890/satileto-gekatazak-kobonuj.pdfIn PDF document text
    • https://pilidikuvitas.weebly.com/uploads/1/3/4/7/134766888/soxizaloxovurenuliv.pdfIn PDF document text
    • https://jugafuxuxeg.weebly.com/uploads/1/3/2/7/132740719/dopilobifosopi_wirijusunagipad.pdfIn PDF document text
    • https://memudodonimik.weebly.com/uploads/1/3/1/4/131406547/voronajulanitono.pdfIn PDF document text
    • https://zimegusak.weebly.com/uploads/1/3/4/6/134605775/wanufuxum_debogu_bixilonopo.pdfIn PDF document text
    • https://kijiwutexaji.weebly.com/uploads/1/3/4/6/134698992/bijesasotup.pdfIn PDF document text
    • https://runanusug.weebly.com/uploads/1/3/5/3/135313332/nujesuxewuxukiza.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4455642/normal_5fe128be7aedf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4473890/normal_605e0b456b334.pdfIn PDF document text
    • https://siluxukazikuwo.weebly.com/uploads/1/3/5/3/135326211/wijiv_lofumebilis.pdfIn PDF document text
    • https://gotedajasokidu.weebly.com/uploads/1/3/1/4/131407980/gugirol-guxituduxode-gisar-rapojoro.pdfIn PDF document text
    • https://kepigepejabuji.weebly.com/uploads/1/3/4/3/134315220/jijoper.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/327599d1-9e2c-4c37-8c71-ffe9061e21c8/map_of_the_world_continents_coloring_page.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2f46cbb7-8f4d-444a-b444-076f01be69c1/.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a293e36-73cf-4460-8264-d47d5ceecee5/15_interview_questions_every_facility_manager_should_ask_and_answer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/61aa8f5e-4254-4cf9-b8c6-007737e147be/bios_password_removal_software_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0f39fd8-3a29-4c39-889f-344507800dc6/74683113584.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01b103eb-9637-4fc1-b9e7-8a53f525c63b/what_is_security_analysis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0cfec16c-e049-45ca-9eef-0a4dcbd61744/31751006087.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/badbeea9-4043-4f3f-9d0d-73f1d1ad0fce/according_to_general_relativity_how_is_time_affected_by_gravity.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5568e45c-45d3-48fd-aa60-ba6d5a8fa4ba/gmp_guidelines_pharmaceuticals.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f90e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF90E 4968 bytes
SHA-256: 78bffe0893dfce90c2f6b03543ea296ba65272cbe3378f40c442a714a46e7741
font_01_sfnt_off00010a1a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A1A 12392 bytes
SHA-256: aa8d5c75a0bfd07459ae8ed1c65a8208576464b3bcb01f93b80e60d250e5db9a