Malicious PDF — malware analysis report

Static analysis result for SHA-256 61f285a7393117b4…

MALICIOUS

PDF

77.3 KB Created: 2021-05-25 07:02:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa6ea9e96c14939e221716b64b9b1a69 SHA-1: 49008237e97e6e4cb9e3fe7c857fda99fdcfb14b SHA-256: 61f285a7393117b4d0cbddb264093ddc3b478499ed9c2c4a6eee23a76c742ee7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a ML classifier and ClamAV, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, many pointing to Weebly and other file-hosting services, suggesting a link farm or a distribution point for further malicious content. While no scripts were explicitly extracted, the PDF structure and the presence of numerous external links are indicative of a phishing or malware delivery attempt, likely using embedded JavaScript to facilitate the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zulovinivu.weebly.com/uploads/1/3/4/7/134758195/ruvezetopapezuf.pdf
    • https://nabatiniwoz.weebly.com/uploads/1/3/4/8/134889778/957df7.pdf
    • https://cdn-cms.f-static.net/uploads/4492871/normal_6035d933155cf.pdf
    • https://cdn-cms.f-static.net/uploads/4388820/normal_60220d8a208be.pdf
    • https://cdn-cms.f-static.net/uploads/4476268/normal_605d8ab58fafe.pdf
    • https://static.s123-cdn-static.com/uploads/4380083/normal_5fdec349e8889.pdf
    • https://cdn-cms.f-static.net/uploads/4424330/normal_606e6e9cbf045.pdf
    • https://tojoniwov.weebly.com/uploads/1/3/4/6/134602819/5948180.pdf
    • https://wapubepedud.weebly.com/uploads/1/3/1/4/131455956/vepanadoreli_visotelixej_velak.pdf
    • https://sawalodisixujig.weebly.com/uploads/1/3/4/4/134490012/makoga-busulopafajugi.pdf
    • https://cdn-cms.f-static.net/uploads/4382780/normal_60196d38d2367.pdf
    • https://vamabeloketofip.weebly.com/uploads/1/3/4/3/134344852/9372028.pdf
    • https://cdn-cms.f-static.net/uploads/4375095/normal_6044d96a27de4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://feedproxy.google.com/~r/wb/ENAH/~3/_7yJ53orglQ/wb?keyword=how%20to%20reset%20amazon%20kindle%20model%20d00901
    • https://s3.amazonaws.com/dowavelaxam/27301899374.pdf
    • https://s3.amazonaws.com/sowewazulejewi/the_opposite_of_the_word_solitude.pdf
    • https://s3.amazonaws.com/gedimuta/best_color_for_sheets_feng_shui.pdf
    • https://s3.amazonaws.com/jasadavebaga/31983852949.pdf
    • https://s3.amazonaws.com/fapaga/54205964130.pdf
    • https://s3.amazonaws.com/sesijesule/99658443030.pdf
    • https://s3.amazonaws.com/nitidadufetenu/alzheimer_s_disease_international_report_2017.pdf
    • https://s3.amazonaws.com/jejulurowev/broan_bcdj130bl_glacier_black_range_hood_30-inch.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef95.bin
01c1f6365e53526416dadd01af0fc56b947b4b161d42bbaeee4a77a21f5e8b61		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF95 5488 bytes
font_01_sfnt_off0001023e.bin
77c626a29abc16496a7d7e7fc2cd6b5fc9a910bdcd52dc5a898dd753463e7056		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1023E 10996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.