Malicious PDF — malware analysis report

Static analysis result for SHA-256 6983fc7ff60f498e…

MALICIOUS

PDF

79.6 KB Created: 2021-03-30 03:31:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5deb430c1fbf13fd5b63150b986740a5 SHA-1: 96077da0d1144a0e770895d054a6ffbca5ba3221 SHA-256: 6983fc7ff60f498e0e9b4056677178a466ea1586ebf564160bcee862c8a823e2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by multiple heuristics, including a critical ClamAV detection and an ML classifier. It contains a large number of external links, suggesting a link farm or SEO manipulation tactic, likely intended to distribute further malicious content or phish users. The PDF_SEO_LINK_FARM heuristic specifically indicates a mass of external PDF links, with the first URL pointing to a suspicious Weebly domain.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=technique+cookware+cast+iron+enamel
    • https://gekawemugib.weebly.com/uploads/1/3/4/6/134623466/muzewigagudidexoju.pdf
    • https://cdn.sqhk.co/xukigipeduve/jd53zgc/12462415111.pdf
    • https://cdn.sqhk.co/futevanu/cghkhfZ/puzzle_100_doors_room_escape_level_92.pdf
    • https://cdn-cms.f-static.net/uploads/4448337/normal_605f0bf252186.pdf
    • https://cdn.sqhk.co/zajagatetode/v5Zjaii/app_store_icon_ios_11.pdf
    • https://static.s123-cdn-static.com/uploads/4403140/normal_5fe43f7bdc839.pdf
    • https://cdn-cms.f-static.net/uploads/4415073/normal_5fd7c12a0820e.pdf
    • https://cdn.sqhk.co/sowovupo/hf7pjYq/jekonosoloxo.pdf
    • https://tovibimatajo.weebly.com/uploads/1/3/5/9/135963052/73d028d.pdf
    • https://cdn-cms.f-static.net/uploads/4420019/normal_5fda41b799fbc.pdf
    • https://cdn-cms.f-static.net/uploads/4468530/normal_60226b6b27f20.pdf
    • https://cdn-cms.f-static.net/uploads/4485826/normal_602402b76299f.pdf
    • https://cdn.sqhk.co/tagisojitilu/W9idgjy/airdroid_premium_version.pdf
    • https://cdn-cms.f-static.net/uploads/4481841/normal_605b71cebb2fc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c827806f-f9bf-4fd3-a4ce-e487c020fa79.filesusr.com/ugd/6fd45c_1b63ee32b3c641e4ab3b25a0fee1cdb6.pdf?index=true
    • https://7c3dd69e-6649-485e-b385-36acc2971cd6.filesusr.com/ugd/cf9ff1_69953b865d4a4634b82b61ada252995d.pdf?index=true
    • https://65d0a56f-4074-4e8f-9acc-29e6f8e8f663.filesusr.com/ugd/37655d_b5cfe7c0b8284a1e9e935493a9feb362.pdf?index=true
    • https://s3.amazonaws.com/pafiganovavi/vertigo_exercises_brandt-_daroff.pdf
    • https://s3.amazonaws.com/wajufifenoxuj/xosesufijogelof.pdf
    • https://s3.amazonaws.com/donarepemi/gapawenizex.pdf
    • https://d321836a-1bf8-47c4-b4d3-67fe1e7f0250.filesusr.com/ugd/33ab24_c118b5bf9cca4e66917d969d6c15eb35.pdf?index=true
    • https://s3.amazonaws.com/gudukupir/bitdefender_offline_free.pdf
    • https://s3.amazonaws.com/dutimajizowa/samsung_rf268abrs_control_panel.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8f3.bin
f31f36f73eb5e95a12b7f05985a9ecbe3f50be41b12589eecc685f955aff4cd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8F3 5272 bytes
font_01_sfnt_off00010ac9.bin
61c77dabaad0de94646b0f4b2f193268ae74f0aaf7b837cb31625a57ae2116a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AC9 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.