Malicious PDF — malware analysis report

Static analysis result for SHA-256 601344a838c81e01…

MALICIOUS

PDF

69.7 KB Created: 2021-03-22 20:12:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 17893aa59b76686a0032ea8a5139fc3c SHA-1: 2201faf720cd2ac7af58decc2356b10563678441 SHA-256: 601344a838c81e0112dbaf94b17cb42000d158ac86aa13e39c7e24e5625604b1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing attempt. It contains an embedded URL that redirects to a suspicious domain, likely intended to host further malicious content or phishing pages. The PDF structure also suggests it is part of a link farm, designed to distribute malicious content through search engine optimization tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/123?utm_term=briggs+and+stratton+platinum+engine+190cc+manual PDF link annotation
    • https://ruwalabipuges.weebly.com/uploads/1/3/4/4/134465281/451900.pdfIn PDF document text
    • https://baneboveboxov.weebly.com/uploads/1/3/0/7/130775782/gofojetalutoko.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4381541/normal_6005503ea0bdd.pdfIn PDF document text
    • https://xitapazutirubej.weebly.com/uploads/1/3/4/8/134882608/nipodulenogimugafalu.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466411/normal_6012512713909.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378160/normal_5fd876451a0a9.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/efe0b0a4-f673-47f2-a5f8-f16c8da25dd1/selatodifomejafu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/31db0356-5f88-43ba-b813-181927a84674/harry_potter_12_days_of_socks_mens.pdfIn PDF document text
    • https://s3.amazonaws.com/farowug/77846899472.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/683c4cbf-0477-4cc6-80d1-0da118a3bd40/advanced_dungeons_and_dragons_players_handbook_2nd_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/baafc483-6428-460a-bc9a-06622dabd269/telugu_short_stories_with_author_name_and_book_name.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c9a761c-e7cc-4e23-8e7e-505cd551b0b1/poliwisipufuv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e231e69c-909e-4e4d-a9cb-123671605581/bepokogoripe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/184eb42f-f897-4a7f-9f6b-c096723a93d4/17_indisputable_laws_of_teamwork_ppt.pdfIn PDF document text
    • https://s3.amazonaws.com/minabiwa/96976244147.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/85cd06a9-b220-4abc-b5d5-af717dfaa044/university_of_edinburgh_os_maps.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c968bece-a8ea-40ea-a932-6ceb0d6eb1a7/bojabidoluvuroxa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1fd5dc5f-e381-410d-a53e-403c021c8a87/how_to_learn_italian_easy.pdfIn PDF document text
    • https://s3.amazonaws.com/rizoli/the_divine_comedy_purgatorio_summary.pdfIn PDF document text
    • https://s3.amazonaws.com/dukajevo/kiwug.pdfIn PDF document text
    • https://s3.amazonaws.com/dalava/what_kind_of_battery_does_a_car_remote_take.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1781fec-e99a-42ff-a850-66623d3672c1/medajodumaxow.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cdf392f4-a8f3-43e0-9a65-eb227a6324e3/daikin_mini_split_error_code_00.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cfa0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCFA0 5792 bytes
SHA-256: 35a6a991ff4f93e2f8e47479fb173ed3e4c7b32a0408f12c9cb120297d871e86
font_01_sfnt_off0000e34c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE34C 11004 bytes
SHA-256: 391920e3eb80b6664725045a28dc585cddd3d36b712d3071ba840ea07f013119