Malicious PDF — malware analysis report

Static analysis result for SHA-256 80fc0e67ee3166c2…

MALICIOUS

PDF

76.1 KB Created: 2021-03-30 10:39:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb99a2559d233d38ebdf6b55f520a8f3 SHA-1: 69061429ae067f4ae30d79917153d5a667572213 SHA-256: 80fc0e67ee3166c23f71783b0f1d4244f04fdfd8b36fe70e0375e4d4c90e5ee0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious and likely phishing-related. It contains a large number of external links, with one heuristic specifically identifying a "PDF link farm" which suggests an attempt to manipulate search engine results or redirect users to malicious content. The document body contains text related to movie audio songs, likely a lure to attract clicks on the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=chirugali+movie+audio+songs
    • https://cdn.sqhk.co/fusevesapime/VDjesgf/kafuwej.pdf
    • https://cdn.sqhk.co/toriwogadej/AhdjeeY/personal_bio_data_format.pdf
    • http://lalexejiwisejul.iblogger.org/como_se_dice_camisa_formal_en_ingles.pdf
    • https://dirarogevuku.weebly.com/uploads/1/3/5/3/135351224/c3da7ff8657fd9.pdf
    • https://gorenusedom.weebly.com/uploads/1/3/5/3/135326887/e889bb0.pdf
    • https://kikafizujugu.weebly.com/uploads/1/3/4/0/134012642/92beae7704.pdf
    • https://cdn.sqhk.co/vagekoxes/ohiAhi6/masusikokepuzaz.pdf
    • https://dutofubexel.weebly.com/uploads/1/3/4/6/134631161/5381647.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kavejanunar.epizy.com/44947229181.pdf
    • https://s3.amazonaws.com/rezugekolaba/57670938318.pdf
    • https://uploads.strikinglycdn.com/files/c26e658a-a1e6-404d-8ff7-e7a7b07bc52f/46056134111.pdf
    • https://uploads.strikinglycdn.com/files/099c5a32-d259-4854-a5b7-e75606f7d4ad/17050138311.pdf
    • https://uploads.strikinglycdn.com/files/2e694402-78eb-4a5b-bf20-5e22378f1230/40521558539.pdf
    • https://s3.amazonaws.com/jusagi/rowodoxoxuda.pdf
    • https://uploads.strikinglycdn.com/files/1e041d8e-e468-4f6a-919e-3eb9112bc099/keurig_k15_k10_mini_plus_brewing_system_black.pdf
    • https://uploads.strikinglycdn.com/files/dce2113b-10c7-4a48-9801-6ac7bcb95c39/83722865807.pdf
    • https://uploads.strikinglycdn.com/files/2eb70155-a07d-43d2-afe9-896b1c0db637/towers_of_midnight_cover.pdf
    • https://s3.amazonaws.com/petuzutemixuvod/android_app_source_code_free_zip.pdf
    • https://uploads.strikinglycdn.com/files/05e343d6-a320-4023-990b-1a076e4ef240/gidawadufunura.pdf
    • http://zafediluxewo.rf.gd/final_cut_pro_x_trial_crack_mac_el_capitan.pdf
    • http://pepuzawataguzaw.rf.gd/ctet_question_paper_2020.pdf
    • https://uploads.strikinglycdn.com/files/7c5b3808-7ad7-453f-89cb-6b71a68524b0/sofugimafemenevoposik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb4b.bin
302657860a207dc6957c6d500c3560bd75f9522a830bc7cfc7644dfa1f346b9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB4B 5204 bytes
font_01_sfnt_off0000fccf.bin
5b773ab701827257090f156e099d4a16bfc53fb9bd300809975d74ace3f238c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCCF 11308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.