Malicious PDF — malware analysis report

Static analysis result for SHA-256 63b29a219eb094b8…

MALICIOUS

PDF

74.4 KB Created: 2021-06-26 00:45:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 97b40bbcfc8d976fad3d7c4795f102fc SHA-1: bada1c2be1535eaa2b7ab4ca5c25adc8ebf98f51 SHA-256: 63b29a219eb094b813864e3a50a9a07c87471f40ca3e2413417289c6ceb46eaf
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document contains a large number of external links, identified as a link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or distributing further malicious content. The document's purpose appears to be directing users to a network of other PDFs, potentially for SEO abuse or to host malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cdn-cms.f-static.net/uploads/4459917/normal_603b0f2f55667.pdf
    • https://static.s123-cdn-static.com/uploads/4405899/normal_60010bdfe8af2.pdf
    • https://cdn-cms.f-static.net/uploads/4450639/normal_60bd3af38d995.pdf
    • https://cdn-cms.f-static.net/uploads/4459636/normal_602d3c6399534.pdf
    • https://cdn-cms.f-static.net/uploads/4501380/normal_6026e12f8f4ac.pdf
    • https://cdn-cms.f-static.net/uploads/4402262/normal_606b6014d0e43.pdf
    • https://pajobozonojamu.weebly.com/uploads/1/3/3/9/133997184/gowoxipowuvibid.pdf
    • https://dezekebewefe.weebly.com/uploads/1/3/4/7/134731304/bumikozopakuverusix.pdf
    • https://jawokisejul.weebly.com/uploads/1/3/4/6/134601468/46fdeb43f2.pdf
    • https://static.s123-cdn-static-d.com/uploads/4502920/normal_60b04d356e96f.pdf
    • https://cdn-cms.f-static.net/uploads/4421200/normal_6014e19675224.pdf
    • https://cdn-cms.f-static.net/uploads/4376625/normal_605ef76c51a85.pdf
    • https://cdn-cms.f-static.net/uploads/4385230/normal_6028e507e5597.pdf
    • https://rofaxebawo.weebly.com/uploads/1/3/4/7/134750080/bagebe-nizilabuku-kiwulo-puvifidufed.pdf
    • https://static.s123-cdn-static.com/uploads/4415309/normal_5fc79aff6e249.pdf
    • https://static.s123-cdn-static.com/uploads/4486983/normal_5fcaa0e3bf078.pdf
    • https://fasanisig.weebly.com/uploads/1/3/0/7/130739318/fb88e1439cef.pdf
    • https://cdn-cms.f-static.net/uploads/4409238/normal_606ab1828bf6a.pdf
    • https://kasikijafeke.weebly.com/uploads/1/3/1/4/131406722/2075828.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/sq/ugae/~3/4P1vZUbBa90/square?utm_term=attention+to+detail+interview
    • https://uploads.strikinglycdn.com/files/0fa9d64c-e564-40dd-963f-fb97403d7f73/80387335361.pdf
    • https://uploads.strikinglycdn.com/files/404105da-b2e4-467a-b880-8c78278ba330/landice_l7_owners_manual.pdf
    • https://uploads.strikinglycdn.com/files/09527d9b-3f53-41bd-8174-2a7d86a2f143/xuzolapofa.pdf
    • https://uploads.strikinglycdn.com/files/d51ef6ae-70a3-444c-90b9-58f8d77c4ffe/why_is_my_versa_2_not_connecting.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e70e.bin
4c9d46ddd7b08e009ebe10c9e1902b3c87ee77af50aa4db2512b1528b01c1db8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE70E 4784 bytes
font_01_sfnt_off0000f772.bin
bdbc1301aaf6595ac95a65514c13228f673fb29f9cea6a5b28eab6f4211fe523		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF772 10848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.