Malicious PDF — malware analysis report

Static analysis result for SHA-256 8048f87272af4a0d…

MALICIOUS

PDF

82.5 KB Created: 2021-03-09 14:43:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f713f00e9d6a3f4f321673f9d1327439 SHA-1: 2baf164734c05b269537423185decbf1f31ffdde SHA-256: 8048f87272af4a0d73520754afde54a26c37dcaf18ab312cde75995f1e719d43
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The primary attack pattern observed is the presence of a large number of external links, suggesting a link farm designed to manipulate search engine results or redirect users to potentially harmful sites. While no scripts were explicitly extracted, the PDF structure and embedded URIs point towards an attempt to leverage external resources for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=how+old+was+jacob+sartorius+when+he+died
    • https://ralirepiputup.weebly.com/uploads/1/3/4/8/134852471/kagej.pdf
    • https://namekabesomi.weebly.com/uploads/1/3/4/6/134668803/90c6008043ac.pdf
    • https://dewotime.weebly.com/uploads/1/3/1/6/131606762/zuzisojagasaf_bofefe.pdf
    • https://sutivekawexebe.weebly.com/uploads/1/3/1/6/131636655/4145744.pdf
    • https://wojagezut.weebly.com/uploads/1/3/0/7/130775605/tozegevop-wirovejaxudav-dadezilorebe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/353009a7-0ff6-47c4-82d5-df7046a2b34d/jevalis.pdf
    • http://luwefotikejumu.rf.gd/windows_app_sites.pdf
    • https://s3.amazonaws.com/batiku/bikudunoroxuvalesulug.pdf
    • https://uploads.strikinglycdn.com/files/518a0ab3-6050-47e7-839c-277b83bec4c0/zaliz.pdf
    • https://uploads.strikinglycdn.com/files/3ea387d8-07c8-4ee9-aa14-3d661a5fc9f9/1034779924.pdf
    • http://tuvugagud.epizy.com/scag_tiger_cat_seat_replacement.pdf
    • https://uploads.strikinglycdn.com/files/d76bfa1c-802d-4802-a070-e098f24bbe1a/how_to_reset_navien_tankless_water_heater.pdf
    • http://womejus.rf.gd/bomb_squad_mod_unlocked_apk.pdf
    • https://uploads.strikinglycdn.com/files/98c7c607-438a-4a26-b9e3-cea62dbd85fd/wuwibu.pdf
    • https://s3.amazonaws.com/remuv/shimano_nexus_8_speed_shifter_manual.pdf
    • https://uploads.strikinglycdn.com/files/6d73928a-473d-4aed-9329-31963ff3df71/vugabex.pdf
    • https://s3.amazonaws.com/pugomonapoxuxe/cervical_screening_test_guidelines.pdf
    • https://s3.amazonaws.com/sasufufa/65299164412.pdf
    • https://uploads.strikinglycdn.com/files/2acfa7bc-add9-4974-a52d-6faf952f5af6/old_school_rap_music_download.pdf
    • https://s3.amazonaws.com/dadupawo/luwubupixunuxukeju.pdf
    • https://uploads.strikinglycdn.com/files/e7969ee2-d37f-48d9-8b38-61971e5e2adb/bavorutovokipalogowozeg.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eeb2.bin
4cfb3d932a1d8df7b20b8f83e863ca7fae6abfff9e76a4ee64239580bce2ea5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEB2 5296 bytes
font_01_sfnt_off000100b5.bin
b5058916113358bc1f07f8de6deb5543e1f38b0ff8e129b545b36636634ef7c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100B5 11068 bytes
font_02_sfnt_off000126a2.bin
3881ac036e24d18d946d46924f2e53d0ed0d4a9afaeaebdb2d2c90068baec180		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126A2 16240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.