Malicious PDF — malware analysis report

Static analysis result for SHA-256 68c894a985170244…

MALICIOUS

PDF

96.3 KB Created: 2021-03-24 06:43:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 33a77c6de22668d662b1a3e122c3d856 SHA-1: ed0b71306b1349fd9d45f2357af67c7b6b64a15f SHA-256: 68c894a985170244a691b0ba1ba92def0e3fdbf8b4ee3f6fc785d4f1e40e7066
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by multiple heuristics and a machine learning classifier. It contains a large number of external links, many pointing to other PDF files, suggesting a link farm or SEO manipulation tactic. The ClamAV detection indicates it is a phishing trojan. While no scripts were explicitly extracted, the PDF structure and the presence of external links suggest it is designed to redirect users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=agricultural+regions+of+the+world+by+whittlesey+pdf
    • https://cdn-cms.f-static.net/uploads/4476432/normal_6015e21fdd7d1.pdf
    • https://futokodoneru.weebly.com/uploads/1/3/0/8/130814407/4421532.pdf
    • https://gejomomik.weebly.com/uploads/1/3/4/7/134719116/7380282.pdf
    • https://fogakorix.weebly.com/uploads/1/3/3/9/133997140/1986b341cc8.pdf
    • https://cdn-cms.f-static.net/uploads/4386073/normal_60339cd191db8.pdf
    • https://zarimuxeve.weebly.com/uploads/1/3/4/8/134897304/jomofewelal.pdf
    • https://cdn-cms.f-static.net/uploads/4480905/normal_6015806dd448d.pdf
    • https://bomusega.weebly.com/uploads/1/3/4/6/134656079/6592456.pdf
    • https://posuzelivoj.weebly.com/uploads/1/3/4/8/134869480/1657dfec6e50.pdf
    • https://metuwudoguwo.weebly.com/uploads/1/3/5/3/135323448/pimul.pdf
    • http://fedorahosted.org/lohit
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://dc6b22d1-fd3c-476a-b8f1-b0505981f591.filesusr.com/ugd/ab5adf_a0722a445ecd442785f89c903f8dfaf0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/69bf8184-885d-4c3f-8406-cd40e22b4180/vemetabuxepuwobuvizurige.pdf
    • https://dc273c12-e125-4738-b2e6-b96bc4bd5eb7.filesusr.com/ugd/c8df25_643d9318a07a46f9af44e78da72f40cb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e08404c5-cc48-4f30-a257-b93e9a98429e/39778262247.pdf
    • https://s3.amazonaws.com/liwafo/87593011290.pdf
    • https://d4f4546a-a836-4b3d-8651-c56b89608eca.filesusr.com/ugd/3e9e83_1ad17f7ab5c0469380ffa504dccf11a9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8f2bc087-077f-4047-9c8a-7cd3a34660db/forty_rules_of_love_elif_shafak_quotes.pdf
    • https://s3.amazonaws.com/pazatuv/capital_expenditure_proposal_template.pdf
    • https://uploads.strikinglycdn.com/files/7442a32b-13f4-49db-8a85-33e211a056bd/the_lady_with_the_pet_dog_joyce_carol_oates_analysis.pdf
    • https://uploads.strikinglycdn.com/files/039adacc-9a36-41d8-b1a5-247009031be5/ate_quando_entregar_o_imposto_de_renda_2019.pdf
    • https://e5447efa-8854-4d04-834e-f0bbd7438c8b.filesusr.com/ugd/ac612b_32a05ce388af4d069b6b98e462da38ff.pdf?index=true
    • https://s3.amazonaws.com/sivanira/meteoradar_slovensko_android.pdf
    • https://s3.amazonaws.com/gelawiweza/missguided_plus_size_chart.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00015cc6.bin
5f230f7734e24e14be392795ad122f207eee5901b0f53b1efc7db934d056c873		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15CC6 5936 bytes
font_00_sfnt_off00011148.bin
8678461a36318f73caa47be7720532798183d8a18b717e055a12ae2b3be44fb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11148 1528 bytes
font_01_sfnt_off0001190f.bin
2c32e73c18c592d01d7239f00a3f5127ec39edc44aab1279b8d1533f869936e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1190F 5740 bytes
font_02_sfnt_off00012caa.bin
6539b129c5cd894636dc8f40f53a156c00c8f46378ab4f137c96d687a1cff6ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12CAA 3720 bytes
font_03_sfnt_off0001380d.bin
3a34e8c8ff4939b6f88421ed1c443a720614925a8fb059a024e993904c7dce9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1380D 10660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.