Malicious PDF — malware analysis report

Static analysis result for SHA-256 810d4684e072c1ee…

MALICIOUS

PDF

117.1 KB Created: 2021-03-15 21:33:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2e4495a9be2811982119cbc596a1366f SHA-1: 2a5ef24f52b4f2f7f8990463e72170f230dbbe00 SHA-256: 810d4684e072c1ee08b101431d4394d20f121fe37947b9ca2748b52f03bdb559
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical finding for a PDF link farm containing numerous external URLs. The ML classifier also assigned a high probability of maliciousness. The primary attack pattern involves directing users to external websites, likely for phishing or SEO spam, as indicated by the embedded URLs. No scripts were extracted, but the PDF structure itself facilitates the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/aws?utm_term=alcatel+one+touch+retro
    • https://vufuredupe.weebly.com/uploads/1/3/0/7/130776381/zovirikilulotu.pdf
    • https://static.s123-cdn-static.com/uploads/4479236/normal_5fc7bb151c26a.pdf
    • https://static.s123-cdn-static.com/uploads/4470982/normal_6000c8a3a1039.pdf
    • http://sopugepibimel.mypressonline.com/62493494029.pdf
    • https://static.s123-cdn-static.com/uploads/4367960/normal_600442f3203e4.pdf
    • https://gapepaweduli.weebly.com/uploads/1/3/5/4/135400658/sirerosapikaken_sabubaregetos.pdf
    • https://static.s123-cdn-static.com/uploads/4428033/normal_5ff66d6a69e74.pdf
    • https://cdn-cms.f-static.net/uploads/4407813/normal_604641e06b8f4.pdf
    • https://mofutobanu.weebly.com/uploads/1/3/1/3/131383854/ralixabiwam.pdf
    • https://tepidupelagoxu.weebly.com/uploads/1/3/4/4/134472529/5537001.pdf
    • https://cdn-cms.f-static.net/uploads/4368999/normal_60312bd6f05d9.pdf
    • http://biwiroxefamir.mywebcommunity.org/jemewiburiwiteji.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bededuxotulapil/danbury_ct_weather_report.pdf
    • http://kabuzore.atwebpages.com/english_language_and_aspects_of_development.pdf
    • http://bajupigirosinaf.atwebpages.com/movies_like_fifty_shades_of_grey_on_amazon_prime.pdf
    • https://s3.amazonaws.com/bogijexu/bsf_constable_tradesman_answer_key.pdf
    • https://s3.amazonaws.com/xefezesebusu/what_is_the_best_business_ideas.pdf
    • https://s3.amazonaws.com/meludav/animation_video_maker_free.pdf
    • https://s3.amazonaws.com/fonazuzixagizir/fadifafujobeb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017b68.bin
b75979f77eebf28f84a82acae10217ca750f33e218dc123ecb825b47d1609d20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17B68 4696 bytes
font_01_sfnt_off00018b58.bin
820f1bfbde2627a90dc2f3dd5855dc7bbc9f5c2b7555e837cc0b0a9559400006		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18B58 11484 bytes
font_02_sfnt_off0001b2b2.bin
050cca2678d7435c270027ff58d84efa212ea3c5592871ae9bdc0d1e185112d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B2B2 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.