Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a66f9a72e839326…

MALICIOUS

PDF

75.4 KB Created: 2021-04-02 08:48:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0f6e14910ebe03d20d68a5bb8c9322b4 SHA-1: 9d69f1a604b6bbaea2f643cbb57de2cc0d8a4f81 SHA-256: 6a66f9a72e83932634779d53a8e304dc781852a64c268b867b0fc98a1267c11f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI that redirects to a suspicious domain, disguised with a seemingly benign search query. The PDF also contains a large number of external links, suggesting a link farm or SEO manipulation tactic. ClamAV and ML classifiers strongly indicate maliciousness, with the PDF_SEO_LINK_FARM heuristic pointing to a tactic of generating numerous external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=hershey+brownie+mix+with+skillet
    • https://static.s123-cdn-static.com/uploads/4420752/normal_600797f10d403.pdf
    • https://static.s123-cdn-static.com/uploads/4494875/normal_5fc5a15636fc1.pdf
    • https://cdn-cms.f-static.net/uploads/4393036/normal_600b35d821055.pdf
    • https://static.s123-cdn-static.com/uploads/4480736/normal_5feef0bb69102.pdf
    • https://cdn-cms.f-static.net/uploads/4426974/normal_605b6037da20d.pdf
    • https://static.s123-cdn-static.com/uploads/4375518/normal_5fed5e4084dc4.pdf
    • https://cdn-cms.f-static.net/uploads/4463788/normal_602b54ad4f08b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/db7077dd-6e3e-4a28-86ff-ace9a0d63f39/oracle_12c_installation_on_linux.pdf
    • https://uploads.strikinglycdn.com/files/5d2cc74d-25c7-4b6e-b447-abe8dd8a1980/jefumu.pdf
    • https://s3.amazonaws.com/patotale/59767470250.pdf
    • https://uploads.strikinglycdn.com/files/5685eb4f-36a0-4d3d-8ea4-0ee4a727bca2/tovilakewozefibozajavamub.pdf
    • https://ce83042b-5faf-46b5-bcbb-9b4d05ec7d33.filesusr.com/ugd/a31856_50f8ab5fdc544692aa0dd6566fa8b82d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fa217dc4-e2df-496e-8d4f-9cd7dd4660ed/dungeon_floor_plans.pdf
    • https://uploads.strikinglycdn.com/files/46dc7a87-5c8d-4d90-9eac-826e6fa3713c/how_much_is_a_new_transmission_for_a_2010_chevy_malibu.pdf
    • https://0e75ab8e-f6a1-4360-bef2-1d94e06fde4e.filesusr.com/ugd/c0518c_0586c0dc3a6140149b527096f4f10bc2.pdf?index=true
    • https://b36ad067-21ef-4b17-9055-1dfcbb3fb98c.filesusr.com/ugd/8673ad_6d9bd159f74d44bda3ae194cef3aeff7.pdf?index=true
    • https://e905e09d-7ddd-4aab-833c-73500e817873.filesusr.com/ugd/f4c08b_776ee5b63104413885ac51e77394b09b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f47ecbb8-499a-4f78-aa58-004d873a673f/36440528688.pdf
    • https://uploads.strikinglycdn.com/files/cbaea786-b30d-4377-ac88-e91b7d855a89/stihl_hedge_trimmer_attachment_for_strimmer.pdf
    • https://uploads.strikinglycdn.com/files/642ad19e-5b43-4158-96f0-38c3d746eebc/nedikelomubigedeg.pdf
    • https://s3.amazonaws.com/nerugiraxura/zubapotugowulowujodu.pdf
    • https://s3.amazonaws.com/kikunojulejuj/what_is_affixation.pdf
    • https://uploads.strikinglycdn.com/files/f5148752-8327-48e3-831e-150f969209c2/hp_officejet_pro_6835_not_printing_black.pdf
    • https://91e55214-10ad-44cf-a10a-60a9392df58b.filesusr.com/ugd/e1c37d_1b2ff99be53a47748205bca8bd055661.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c165ca25-cfc4-450e-bd41-f5e8fce72fe4/electrical_engineering_jobs_in_singapore_for_indian_freshers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8a6.bin
8af4fb4643f4a4a25559712b19782eb6cca0480d2996e38c708a15cbc0d1b0f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8A6 5144 bytes
font_01_sfnt_off0000fa10.bin
873533bdf9091653c00cfc88bd36bd030e9555df2f651d8dcbee37d5619d14c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA10 11012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.