Malicious PDF — malware analysis report

Static analysis result for SHA-256 77e16ec2af72be4f…

MALICIOUS

PDF

89.8 KB Created: 2021-03-12 02:48:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d68386147d21b77d1d2a4b690ad83d7b SHA-1: 3416342177abd2a66b56f848c743a1c7f987ae41 SHA-256: 77e16ec2af72be4f15f5b47b5932016e790dc40abfc805317f6ed830dafba8c8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many of which are part of a link farm designed to appear as legitimate search results for academic papers. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. The embedded URLs suggest an attempt to redirect users to malicious sites for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=u+satyanarayana+biochemistry+pdf+book
    • http://wijasagasipode.getenjoyment.net/gekigugenuwuwavufuxa.pdf
    • http://sidufapas.mywebcommunity.org/kupeseseletavofexupor.pdf
    • http://kulanefimolon.mypressonline.com/hp_laserjet_pro_400_color_m451nw_driver_windows_7_32_bit.pdf
    • https://gupolapi.weebly.com/uploads/1/3/4/6/134629895/zuwivubewa.pdf
    • https://cdn-cms.f-static.net/uploads/4451374/normal_6041d9653f5e9.pdf
    • https://cdn-cms.f-static.net/uploads/4473926/normal_604790853f801.pdf
    • http://vipadobotisituz.mygamesonline.org/why_mars_and_venus_collide_sinhala_translation.pdf
    • https://cdn.sqhk.co/tejurorado/jcjjt0h/special_forces_group_2_mod_menu.pdf
    • https://dakogepakidi.weebly.com/uploads/1/3/5/3/135391125/230930.pdf
    • https://viwejabaru.weebly.com/uploads/1/3/4/7/134749074/binelar.pdf
    • http://fexevewuli.mypressonline.com/wall_street_journal_magazine_instagram.pdf
    • https://dudafizegananif.weebly.com/uploads/1/3/4/8/134864336/tubidaleluz_jozigo_bevum_nobumelefeju.pdf
    • https://cdn.sqhk.co/simikitivo/0XMzVif/super_bomberman_2_snes_cheat_codes.pdf
    • https://cdn.sqhk.co/bitaxukezor/eghpwij/41227790084.pdf
    • https://fodonisegijiwos.weebly.com/uploads/1/3/1/4/131437376/xaselitadejok_kitufadepig_lebuxesi.pdf
    • https://static.s123-cdn-static.com/uploads/4496586/normal_5ff1e3463ea74.pdf
    • https://jenitexul.weebly.com/uploads/1/3/4/8/134859983/bazewobidiwajavale.pdf
    • https://cdn.sqhk.co/zekafomaze/NihiaLf/digital_marketing_courses_online_free_uk.pdf
    • https://cdn-cms.f-static.net/uploads/4388819/normal_6017dc0fb542b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://48e4e0df-78ce-4736-8797-27735e68dc67.filesusr.com/ugd/f3b179_9eceea507cc34b61bf602675ece86972.pdf?index=true
    • https://45f61934-b4a1-4335-a9e3-e142d9465b5b.filesusr.com/ugd/0dd040_5a3a91f0408e4f17b358c32136709437.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001042d.bin
ac62e3a983978e679b858e7474eced20b2336ae6ce9aa1bff9b5f94ccdbe9b85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1042D 5660 bytes
font_01_sfnt_off0001174c.bin
56c95d53e5606f552b11586ac451b7a7c18ba5efe20e363514e476efc87af1da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1174C 14224 bytes
font_02_sfnt_off0001442c.bin
e7273338525a866f49bd556f13a0e46ce1e8513f85f175d9d987aa1f8b89adb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1442C 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.