Malicious PDF — malware analysis report

Static analysis result for SHA-256 61db62238475f3c0…

MALICIOUS

PDF

79.2 KB Created: 2021-04-24 18:50:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2c678c2668b7362a2549f833bac5698c SHA-1: 98f3cfe13d3e29ff5f3ca1db034a2aec1ca04b63 SHA-256: 61db62238475f3c0d451f16a202606959d0b96313a4074f6a9a342b548becf31
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to other PDF files, suggesting a link farm or SEO spam campaign. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were explicitly extracted, the presence of numerous external URLs and the PDF structure indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=historia+natural+de+la+enfermedad+sus+periodos
    • https://static.s123-cdn-static.com/uploads/4383470/normal_5fcd5136b4889.pdf
    • https://static.s123-cdn-static.com/uploads/4365639/normal_5ffc25d159b52.pdf
    • https://cdn-cms.f-static.net/uploads/4474736/normal_602f25be6146c.pdf
    • https://bulugigedi.weebly.com/uploads/1/3/4/7/134714886/efb759.pdf
    • http://003-center.ru/62797187518w94k6.pdf
    • http://hookup671.site/pentair_whisperflo_2hpw9y1w.pdf
    • https://static.s123-cdn-static.com/uploads/4488323/normal_5fdda8b2c0be5.pdf
    • http://businessoutsourcing.org/vefobosuwonogodiqk.pdf
    • https://static.s123-cdn-static.com/uploads/4405638/normal_5fcb4178e4482.pdf
    • https://cdn-cms.f-static.net/uploads/4467955/normal_60697903a0691.pdf
    • https://gabubogoko.weebly.com/uploads/1/3/3/9/133997439/2068842.pdf
    • https://static.s123-cdn-static.com/uploads/4488580/normal_6008cf18542d7.pdf
    • https://regifevadep.weebly.com/uploads/1/3/4/4/134476302/popasubunap.pdf
    • https://belukuxar.weebly.com/uploads/1/3/5/3/135312366/5994258.pdf
    • http://bitjoms.xyz/is_the_focusrite_scarlett_a_preampu4h55.pdf
    • https://static.s123-cdn-static.com/uploads/4469863/normal_5fcc039413778.pdf
    • http://hurleyshamburgers.com/pandora_s_box_puzzle_game_freekb4ih.pdf
    • http://winoorama.space/aprendizajes_clave_para_la_educacin_integral_educacion_primaria_63p1f1.pdf
    • http://tortomsk.ru/95945526215zqcf2.pdf
    • http://nesobaka3.xyz/download_call_of_mini_double_shot_modgisue.pdf
    • http://vilopeg.xyz/origen_modo_de_produccion_asiatico3tgrj.pdf
    • https://xarojitoma.weebly.com/uploads/1/3/5/3/135305856/2707506.pdf
    • http://twoup-viktoria.online/mississippi_drivers_license_renewal_requirementsl0zcm.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://626fb5af-1d67-41cb-86ce-204163677ff0.filesusr.com/ugd/9d869b_2ac923ff95304f08b29e17c3eae28fc6.pdf?index=true
    • https://d926c97b-7f3b-4ec8-a52a-318bcb589338.filesusr.com/ugd/120f26_d551317932eb4585944c5f773cd2fc0c.pdf?index=true
    • https://da99f664-88c7-4a27-98aa-0bbcec2e8f57.filesusr.com/ugd/66f3f9_6a6882b3e2cb408c90b40455f6b566c3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea45.bin
9515a2a8f4dcab35e488201b37d07e8d420ef7dd56b94a2168e8b9720022dbbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA45 5028 bytes
font_01_sfnt_off0000fb3b.bin
d05b5c84d1c6430e05228f08a81ef1930544ac44de436a8c42c13ddc103521ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB3B 11588 bytes
font_02_sfnt_off0001208a.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1208A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.