Malicious PDF — malware analysis report

Static analysis result for SHA-256 8149d6e039789d51…

MALICIOUS

PDF

100.4 KB Created: 2020-11-20 03:12:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8418bab1d16caef754a9a8875eaeeaf2 SHA-1: 41fb6cc6aea7c71743bb0734c6da0f7998f89729 SHA-256: 8149d6e039789d51cfe647aa40dd7f4f0f67b0c95d577da75c8ec39e705c04e3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used for SEO spam or to redirect users to malicious sites. The heuristic PDF_SEO_LINK_FARM specifically indicates a mass external PDF link farm. While no scripts were directly extracted, the presence of embedded URLs and the ML classifier's high confidence score suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/aws?utm_term=kalnirnay+january+2018+marathi+calendar+pdf
    • https://banafazag.weebly.com/uploads/1/3/4/3/134325205/juwuveloterapete.pdf
    • https://cdn-cms.f-static.net/uploads/4464995/normal_5fa411405bc08.pdf
    • https://cdn-cms.f-static.net/uploads/4367301/normal_5f8e389463ba0.pdf
    • https://kenuvibugitevam.weebly.com/uploads/1/3/4/7/134700053/2559086.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • https://s3.amazonaws.com/pewebopufupe/how_many_cups_is_48_fl_oz.pdf
    • https://s3.amazonaws.com/toliwudalamem/nuwujowekodux.pdf
    • https://s3.amazonaws.com/zategafozasiru/58655409818.pdf
    • https://s3.amazonaws.com/jukezeluf/tefimik.pdf
    • https://uploads.strikinglycdn.com/files/46d6142a-902c-4ae6-9b4f-618035583b04/scratch_2_indir_gezginler.pdf
    • https://s3.amazonaws.com/nilafafakem/sifufutosotigiwe.pdf
    • https://s3.amazonaws.com/vedexajawo/96507612667.pdf
    • https://s3.amazonaws.com/zafirawit/alphabet_grec_gratuit.pdf
    • https://s3.amazonaws.com/bulolimepol/soundcloud_mr_bond_power_level.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010b5a.bin
6ba0570f3e12adbbc15d3706dec1b9526cbe6327d8a4be29f55098b9bef8231d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B5A 3016 bytes
font_01_sfnt_off00011620.bin
d660684714e4c393dc088089ffbf3398a5b200945d04664f6a08b5794d6a0369		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11620 5656 bytes
font_02_sfnt_off00012940.bin
428489fdbf614d537bf0ce3ee4eb3803bd1e6e8dfd8c72275cd0503c7864a03c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12940 10696 bytes
font_03_sfnt_off00014c79.bin
c41fc46809d2260d2d1a821cef6bb00dae560fdbad380da94a93f29d012df54e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C79 16164 bytes
font_04_sfnt_off0001618e.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1618E 4324 bytes
font_05_sfnt_off00016f8e.bin
2f7532cfbe1d0545b79467a856408f668fdb2c5c30febb3dbe8d68dcce39cd87		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F8E 5160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.