Malicious PDF — malware analysis report

Static analysis result for SHA-256 768d4f685fe8c1a9…

MALICIOUS

PDF

78.2 KB Created: 2021-04-24 03:24:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 06149d3e09ccee41b32757a893c44fec SHA-1: 246a8992969eed746bfffd501d591828bd209aac SHA-256: 768d4f685fe8c1a9bd77545a9ea0d57297bd19b213375affcb4c3d4e36487384
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, with one primary URL pointing to a suspicious domain, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, appears to be related to search terms for snow blower parts, likely a lure to disguise the malicious intent of the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=troy+bilt+2410+snow+blower+carburetor+parts
    • http://rixukuworerison.22web.org/wetoxarepox.pdf
    • http://minilikaru.iblogger.org/cyberpunk_2077_on_xbox_series_x.pdf
    • http://gesakif.iblogger.org/asco_sep_4th_edition_free_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9e99499c-bdfe-4231-a55c-1c9e2ddf55ab/jupapi.pdf
    • http://nejukiwipe.rf.gd/james_gleick_chaos.pdf
    • https://69cf8a46-0d3d-4b71-8fd1-93df925da18e.filesusr.com/ugd/e4064d_7180fa0917ff44b398a8da4eb1368260.pdf?index=true
    • https://5053e88e-9e18-4719-890c-32a1cca0295d.filesusr.com/ugd/411503_ec67a636fd1c40ccb401dc4b24c495e0.pdf?index=true
    • https://2bb9e989-9ce9-409f-aa8a-839f2ea8d3bf.filesusr.com/ugd/9f8cc2_b680e4a2e2334fe7a2f6267c3469e616.pdf?index=true
    • https://e0a971b2-7104-4718-9e5f-4f17d768618f.filesusr.com/ugd/6d43b6_f944d0b1b6e84657907d4b53eabed3e3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/495d1977-bd44-4c9b-b4e9-83b95cd42e3c/doboj.pdf
    • http://kujujigufa.epizy.com/81958889851.pdf
    • http://dutuzapeka.rf.gd/brothers_grimm_spectaculathon_one_act.pdf
    • https://uploads.strikinglycdn.com/files/73eb8e9d-dc9c-4dd5-bfcc-efb14808fe60/audre_lorde_your_silence_quote.pdf
    • https://621cd70f-1aca-46de-91df-1bd8162c3e90.filesusr.com/ugd/9f1ad6_66a2d9114ba4452d950772611342fe1c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/668bcbe9-1365-4090-a287-4e9fec8a7656/.pdf
    • https://uploads.strikinglycdn.com/files/4564956d-81d0-473d-98aa-0e2f1bacb02f/walmart_brand_diaper_genie_refill.pdf
    • https://cb47f074-0476-4434-b381-5672a365cab8.filesusr.com/ugd/c46c8a_7645a806e4a14fcbb6f197939c4ce9b6.pdf?index=true
    • http://jejotatimub.rf.gd/wuromozidikagoveresoti.pdf
    • http://nedofej.epizy.com/tejikurofonujavedonimak.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f0f5.bin
c905a779fdab67247427db3c626bda6058f80233db2023e9deb1d70605462707		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0F5 5624 bytes
font_01_sfnt_off00010450.bin
f511054c24f63d4592a1658afd5734fffe670444a471a840d09cbcd38e05833b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10450 11040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.