Malicious PDF — malware analysis report

Static analysis result for SHA-256 60e8b93102c4404a…

MALICIOUS

PDF

90.9 KB Created: 2021-05-20 09:07:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 995aae8d1756370c6d08f4b014aa10db SHA-1: 2a18e4823d7732a8777629d4abc50da9ce30e8fe SHA-256: 60e8b93102c4404aa948a12f266366866c798657f64607a5d9715b9cae5f4833
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, many pointing to Weebly-hosted PDFs, suggesting a link farm or SEO manipulation tactic. The embedded URL and the PDF_SEO_LINK_FARM heuristic indicate the primary function is to redirect users to a network of other documents, potentially for further malicious activity or to distribute malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=how+to+maintain+professional+boundaries+in+social+work
    • https://kanelepamub.weebly.com/uploads/1/3/4/1/134132184/240be4eaf.pdf
    • https://zabaparadasikid.weebly.com/uploads/1/3/4/3/134317604/6839618.pdf
    • https://cdn-cms.f-static.net/uploads/4446275/normal_604ae97854488.pdf
    • https://nudetotiba.weebly.com/uploads/1/3/4/8/134872476/5856861.pdf
    • https://fuzaterolipi.weebly.com/uploads/1/3/1/4/131438829/352059.pdf
    • https://tarokomilidifuz.weebly.com/uploads/1/3/1/6/131636676/30dbfcb697701a.pdf
    • https://gomadiwisedewun.weebly.com/uploads/1/3/5/3/135314557/dojonozix.pdf
    • https://static.s123-cdn-static.com/uploads/4449605/normal_5fffb64adeade.pdf
    • https://cdn-cms.f-static.net/uploads/4379491/normal_60414d4a9b1e8.pdf
    • https://tirasuvemesamu.weebly.com/uploads/1/3/4/6/134672388/c767d252ce1c.pdf
    • https://wubinuju.weebly.com/uploads/1/3/4/6/134642725/510508.pdf
    • https://cdn-cms.f-static.net/uploads/4420451/normal_602025b237043.pdf
    • https://cdn-cms.f-static.net/uploads/4412775/normal_5fd1c42c594ea.pdf
    • https://cdn-cms.f-static.net/uploads/4368756/normal_606d448076367.pdf
    • https://bozuzagon.weebly.com/uploads/1/3/4/6/134666742/5375809.pdf
    • https://toxosujaduwo.weebly.com/uploads/1/3/0/8/130874389/cddbd4cbb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/071c2153-6642-4b62-be2f-ada5c8f089e8/citizen_gn-4w-s_band.pdf
    • https://uploads.strikinglycdn.com/files/cf60cf49-fabc-4c23-a004-868724d5e302/wilunumazitosumowi.pdf
    • https://uploads.strikinglycdn.com/files/4324a3fd-5836-4b66-b543-1f8be25bcdad/xanafiwuz.pdf
    • https://uploads.strikinglycdn.com/files/da1a73d5-d1fb-45bf-b916-99429df6964e/vobetawad.pdf
    • https://uploads.strikinglycdn.com/files/97b8e97b-3012-4b8c-9854-502bcbd16be9/how_to_use_the_black_and_decker_toaster_oven.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000118cf.bin
d02562736beb28f37aa9e925abad91958d9be74c7b2be521296998e9a3993820		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118CF 5440 bytes
font_01_sfnt_off00012b31.bin
ca993f9dd568e9c2b0e1197f9b0c3634e45930c152352fd968a5534be7e2337f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B31 10692 bytes
font_02_sfnt_off00014fbd.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14FBD 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.