Malicious PDF — malware analysis report

Static analysis result for SHA-256 602c784e5fa62d22…

MALICIOUS

PDF

76.9 KB Created: 2021-03-19 07:15:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f9576322eca9421896b5c6ca4596361 SHA-1: a1252735b1770343af03263ba6d7eba6febb4311 SHA-256: 602c784e5fa62d224a5a7709a2db8f7ff5bd5c6f22c7ef83c4b9d8ba128da416
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many hosted on disposable domains, suggesting a link farm or phishing campaign. The embedded content, though heavily obfuscated, appears to be part of a lure, possibly related to an email template.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/123?utm_term=email+template+thanking+for+meeting
    • https://static.s123-cdn-static.com/uploads/4426572/normal_5feb97804b4a1.pdf
    • https://cdn-cms.f-static.net/uploads/4366057/normal_5fd2c308ee70e.pdf
    • https://cdn.sqhk.co/sofilita/cHhcEnT/oxygen_tank_regulator.pdf
    • http://idealicaitalia.website/emma_s_adventure_california_restaurantxi2tz.pdf
    • https://cdn.sqhk.co/nikapeke/jmpjegj/emotional_freedom_technique_script.pdf
    • http://50off.pro/72329423668d5r7.pdf
    • https://cdn-cms.f-static.net/uploads/4421199/normal_6029929eae492.pdf
    • https://cdn.sqhk.co/gabixeme/giPLjbE/motown_greatest_hits_full_album_songs.pdf
    • https://static.s123-cdn-static.com/uploads/4388279/normal_5fded86f2353b.pdf
    • http://trokot-new.online/download_minecraft_exploration_lite_games84ab4.pdf
    • http://mif-smeh.space/car_driving_school_simulator_mod_apkbmiwn.pdf
    • https://cdn.sqhk.co/tabuguran/QW7hdje/96285345150.pdf
    • http://smartycredit.info/30_day_green_smoothie_challenge_ebookcctps.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8533cbf3-c0d6-400c-bdf8-8ca38cf0242b.filesusr.com/ugd/135178_18b66631cd2343e2a679547a542a60a7.pdf?index=true
    • https://168d2a81-f750-40c6-a653-3787650f980d.filesusr.com/ugd/3bcfef_60ce5188291b4b8cb967dabfc3361aa2.pdf?index=true
    • https://c301b42c-deab-4116-afcd-a09dd0728425.filesusr.com/ugd/4bb894_facfd4b8a90b4266997e189b38819449.pdf?index=true
    • https://54957a25-093b-4cbd-a4f0-8eb5fea931f0.filesusr.com/ugd/8ba634_1b103b7ea3d54170b456511229af71c5.pdf?index=true
    • https://6d4a8fb0-9a8a-4850-8aa1-2b5706121c9a.filesusr.com/ugd/ff2e72_4e50b58c90a042958fefd57bc4c55a59.pdf?index=true
    • https://4328a374-8b5c-4134-9cef-e132ca5fc89d.filesusr.com/ugd/6732b1_c8936c7960c546ab86af06ea173e7f9d.pdf?index=true
    • https://1dab3517-3db0-43ff-9fd6-b65b51f65b60.filesusr.com/ugd/565485_2d808b907e6e4518bd45f8a2161b7df2.pdf?index=true
    • https://f07eb630-23ff-4298-a1df-d7940f1ba2dc.filesusr.com/ugd/097a5b_701620bd9bf94a5b9b03261a1bc1163a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/09c5a9b1-8c34-4495-8b38-a038e780e08c/lord_i_need_your_love_lyrics.pdf
    • https://5984e891-aecd-43e6-866f-efdb297c9c35.filesusr.com/ugd/403565_0dfbca30da6c45ffb9667ceba34b513a.pdf?index=true
    • https://86a9da1b-0b57-4b35-a77a-523886b904cd.filesusr.com/ugd/0d9a50_b2675df565f14f61a8291438d371b2f8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/960f6852-208f-4707-98d9-47fab0e951a5/50702902891.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef86.bin
715d3ef4428f5d916b1d188726deaadbc9038130b2034668c8fc7f95e615415d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF86 5156 bytes
font_01_sfnt_off000100ee.bin
405438591020648f7ca1c3df49d418943b655c1b1aa78efe8d9b06f60ce4416d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100EE 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.