Malicious PDF — malware analysis report

Static analysis result for SHA-256 660876ede4cb374f…

MALICIOUS

PDF

75.3 KB Created: 2021-05-27 03:25:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c62149352752f995051135ada6df73d2 SHA-1: 3a12c7a02a387f59fa6dc2031931d8c7ceea01e2 SHA-256: 660876ede4cb374f5f54f0c85fc7dded389a99e56205753d279e6b37d3d526ef
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, identified as a link farm, suggesting a phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were extracted, the PDF structure and embedded URLs point towards a tactic of directing users to potentially harmful external sites, likely as a first stage in a broader attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=cnpgd+smartwatch+manual
    • https://sasozubavurak.weebly.com/uploads/1/3/4/8/134886198/tagusatukobob-todomotebi.pdf
    • https://warogowi.weebly.com/uploads/1/3/1/6/131606132/8867572.pdf
    • https://cdn-cms.f-static.net/uploads/4466675/normal_5fd1d8a8d329b.pdf
    • https://wobofosowipifir.weebly.com/uploads/1/3/0/7/130776138/nobale_xagebaxu_narenorisixilo_ririt.pdf
    • https://cdn-cms.f-static.net/uploads/4392861/normal_5fdb07e7487e5.pdf
    • https://cdn-cms.f-static.net/uploads/4414695/normal_6036cbda3b852.pdf
    • https://nenusobodi.weebly.com/uploads/1/3/1/4/131406558/2491528.pdf
    • https://cdn-cms.f-static.net/uploads/4405641/normal_603723c2e7307.pdf
    • https://kutepuwabaluv.weebly.com/uploads/1/3/2/6/132681670/dapiwanakelexesodu.pdf
    • https://cdn-cms.f-static.net/uploads/4369304/normal_6038519975d0e.pdf
    • https://cdn-cms.f-static.net/uploads/4408981/normal_603c5088b0367.pdf
    • https://kifeketefisub.weebly.com/uploads/1/3/5/3/135347095/8937488.pdf
    • https://cdn-cms.f-static.net/uploads/4373241/normal_601c9dd236b97.pdf
    • https://libadelalisam.weebly.com/uploads/1/3/4/5/134579317/bolum-pijonin-zovumuma.pdf
    • https://rabavuvorek.weebly.com/uploads/1/3/1/0/131070866/e547abd3.pdf
    • https://static.s123-cdn-static.com/uploads/4379603/normal_5fee11f96b535.pdf
    • https://jagedebake.weebly.com/uploads/1/3/0/7/130738918/sugaf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a2338a0f-2e3e-47ac-b45c-3b7fde5c1639/pafalomokododemazam.pdf
    • https://uploads.strikinglycdn.com/files/0c904f19-1af6-4353-8dd7-b6a66bf0afd1/7522669893.pdf
    • https://uploads.strikinglycdn.com/files/22d0465d-964c-4428-885c-7f315080f219/zagojekodupifasizasapizu.pdf
    • https://uploads.strikinglycdn.com/files/7c007cce-f758-4209-80d1-3e9f9515d78e/ruxod.pdf
    • https://uploads.strikinglycdn.com/files/8d49c3f5-2078-4b09-ad52-f66a9d8f73aa/wayne_dyer_quotes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9db.bin
7bb38d379fd4cef13cc22e70fce4ec3f4ed6663261f1a2addca611f5fa7da8b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9DB 5484 bytes
font_01_sfnt_off0000fc63.bin
85a1989cc18b2116dee0dc2b200e8c816675c979b8eee4c3eb198cab2a9dfe0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC63 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.