Malicious PDF — malware analysis report

Static analysis result for SHA-256 742037ae9127fc6e…

MALICIOUS

PDF

79.4 KB Created: 2021-04-01 21:20:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a1c23c7f37174c1eb00190a760f6f48 SHA-1: 642cb290b6efb365df06f3137140dbd103dde437 SHA-256: 742037ae9127fc6e305ef549d15a273fb6af0432e68f6b322d58b554a2f2bcaa
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are disguised as search results for game cheats, indicating a phishing or malware distribution attempt. The heuristic PDF_SEO_LINK_FARM specifically flags this behavior, and the ML classifier strongly supports a malicious verdict. While no scripts were explicitly extracted, the embedded URLs suggest the document's primary purpose is to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=farmville+2+country+escape+cheats
    • https://mevimozow.weebly.com/uploads/1/3/0/7/130776561/6435136.pdf
    • https://cdn-cms.f-static.net/uploads/4412606/normal_60472f03b8302.pdf
    • https://cdn.sqhk.co/wekonexiw/jfsMINw/53006727541.pdf
    • https://sexewowoko.weebly.com/uploads/1/3/0/8/130873923/070f2.pdf
    • https://tugalebuwe.weebly.com/uploads/1/3/4/0/134012885/5951472.pdf
    • https://cdn.sqhk.co/vuxijavapul/j1jcUbt/89598282870.pdf
    • https://cdn-cms.f-static.net/uploads/4487622/normal_60470501b5d2f.pdf
    • https://static.s123-cdn-static.com/uploads/4451206/normal_5fe15cd8aa5d8.pdf
    • https://static.s123-cdn-static.com/uploads/4383802/normal_5fc8780d53699.pdf
    • https://cdn.sqhk.co/nobixapo/AhbRhgj/grass_cutting_machine_for_rent_in_mangalore.pdf
    • https://static.s123-cdn-static.com/uploads/4374379/normal_60063c7258bac.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/448cc7ca-17c6-4140-9a1e-86f1323d547b/68948544399.pdf
    • https://s3.amazonaws.com/wizitifowubux/95279819653.pdf
    • https://uploads.strikinglycdn.com/files/7b317eb0-3fab-4003-9e8e-f285843297be/venononixudedifil.pdf
    • https://uploads.strikinglycdn.com/files/cc945513-0065-4826-b90c-f474a64512be/garmin_rino_650t_for_sale.pdf
    • https://s3.amazonaws.com/pafexegud/solajumo.pdf
    • https://uploads.strikinglycdn.com/files/e10b4a52-3abb-4b4b-8e33-285fe174bd62/tokyo_ghoul_re_call_to_exist_characters.pdf
    • https://uploads.strikinglycdn.com/files/c399ebfc-b9aa-4101-ac59-da4ada74aa9b/mekobujurib.pdf
    • https://uploads.strikinglycdn.com/files/d8543f44-d501-4a60-8bc9-49420627c03c/introduction_to_java_programming_11th_edition_exercise_solutions.pdf
    • https://s3.amazonaws.com/figugipopar/jimodipanixad.pdf
    • https://uploads.strikinglycdn.com/files/567dcee5-d7f6-4b71-83db-927f155681e1/3568716054.pdf
    • https://uploads.strikinglycdn.com/files/59bf0d8b-6f29-479e-9056-042b764a8ba7/pays_basque_en_france_carte.pdf
    • https://uploads.strikinglycdn.com/files/ae6845fb-d541-4bfe-9389-a96e0dcffe00/new_testament_in_hebrew_english_interlinear.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f82e.bin
427bfb19a44eb2b690ccecdb8a905febb271c4ef230ad557b6e6f01d8246161f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF82E 5420 bytes
font_01_sfnt_off00010a81.bin
52ece493843f84c2a1d0caa1f1740b2e5d86c8a6e0ea58afd93af8132751f7a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A81 11016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.