Malicious PDF — malware analysis report

Static analysis result for SHA-256 77f9b4dc21b2ac7c…

MALICIOUS

PDF

74.1 KB Created: 2021-04-01 22:28:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4ee6789a8b9d2265ddfd10802774f942 SHA-1: 682c1cdce489bb31702673346e036d510b748376 SHA-256: 77f9b4dc21b2ac7c89ba35b584a63d786e83dfa2f52bc40dbe3a78658df942c6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDF files, indicating a link farm strategy. The ClamAV detection and ML classifier flagging strongly suggest malicious intent, likely related to phishing or malware distribution. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic further support this, pointing towards an attempt to drive traffic to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=ben+10+omniverse+2+game+for+android
    • https://static.s123-cdn-static.com/uploads/4454973/normal_6003f9c76806e.pdf
    • https://cdn-cms.f-static.net/uploads/4408707/normal_605d1e42bc627.pdf
    • https://cdn-cms.f-static.net/uploads/4487187/normal_601854b536320.pdf
    • https://cdn.sqhk.co/xuvisisitinu/Uidigge/xaragapujeb.pdf
    • http://waverufusufafuv.scienceontheweb.net/el_nervio_vago.pdf
    • https://cdn-cms.f-static.net/uploads/4369328/normal_605237c71ba43.pdf
    • http://kujamemapevubu.mypressonline.com/760gm-p34fx_ms-7641_drivers.pdf
    • https://static.s123-cdn-static.com/uploads/4389616/normal_60087a6a71809.pdf
    • https://cdn.sqhk.co/jorevagu/ggi4Igh/subway_surfer_cartoon.pdf
    • https://cdn.sqhk.co/fogunedevare/tffePii/62879280832.pdf
    • https://static.s123-cdn-static.com/uploads/4455886/normal_5fcaada26fc79.pdf
    • https://cdn.sqhk.co/teketerep/fSjaAgg/project_drag_racing_apk.pdf
    • https://static.s123-cdn-static.com/uploads/4365549/normal_60092461609ab.pdf
    • https://cdn.sqhk.co/vitimosugu/UHukPig/guwoluwin.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://f78a7b13-e75c-4ddc-9f3c-03cd83736f6c.filesusr.com/ugd/90c53f_2626bddda3e14f7cb0b6b665f0baafb5.pdf?index=true
    • https://436240a4-ef10-404e-ad90-c5cab949c7af.filesusr.com/ugd/3fb742_11700fb8d2d54cc3bc6ca46c02d8701c.pdf?index=true
    • https://f803bf1b-e1c2-47f6-a41f-c9785c88fbd4.filesusr.com/ugd/bf07b1_eacc787da34c496d98b56849f704f360.pdf?index=true
    • https://ddb1515c-011f-4d6c-9a6c-b305a2039a85.filesusr.com/ugd/477ac5_69bdfdd824ce4c7288e660cd4f32bcdb.pdf?index=true
    • https://6ba7316d-b84b-4ccb-a32a-103c856d4013.filesusr.com/ugd/91f37e_4936df7fdfcb4ab1a291dc035e9be21e.pdf?index=true
    • https://7c5e2310-e79b-429e-9f4a-70471a43dcce.filesusr.com/ugd/8ec1ef_fb42bf95df84497c8455ace7454120c3.pdf?index=true
    • https://44bb6ee8-a0fe-4f72-890f-0f0a2fec05cf.filesusr.com/ugd/b65acf_990004844c1543fd80ac84bc865f93f9.pdf?index=true
    • https://3064a0a7-8496-4b95-be1e-56094aee372f.filesusr.com/ugd/0cf4b9_8ba1b6a4fbd540b189d5700c9d9e051f.pdf?index=true
    • http://jarepumemaxi.onlinewebshop.net/vizasup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d662.bin
dd68382770045480664e67b7dcda6081fdb78d5e4e0f65d29c88a9817062d57f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD662 5340 bytes
font_01_sfnt_off0000e872.bin
a88436b7e77526428d613cc76b943d231c8f03cbf0e6bb0d8b6403dd912a22ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE872 10576 bytes
font_02_sfnt_off00010c76.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C76 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.