Malicious PDF — malware analysis report

Static analysis result for SHA-256 8236d3a37eef6950…

MALICIOUS

PDF

91.5 KB Created: 2021-03-22 05:18:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23
MD5: fd13979a96e2229aa9002839f35a0c0d SHA-1: a87a8369064039f2e763cd02b8b88f69659e9420 SHA-256: 8236d3a37eef69509a5b5b78d44360819b49a31cdb0a2567d35490e5df55a9f7
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded URLs, many pointing to disposable domains and link farms, indicating a phishing or malware distribution attempt. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' strongly suggests this is a link farm on disposable hosting, designed to redirect users. While no scripts were explicitly extracted, the presence of embedded URLs and the ML classifier's high confidence score point towards malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=as+catacumbas+de+roma+pdf+gr%25C3%25A1tis PDF link annotation
    • https://cdn.sqhk.co/rawerusiwala/gcicxgd/dino_safari_2_hack_apk.pdfIn PDF document text
    • http://zesamoa.online/catalogo_lusac_bombas_de_clutchmdq0p.pdfIn PDF document text
    • http://ig-socialmedia.xyz/php_for_the_world_wide_web_was_developed_in_quizletpqcod.pdfIn PDF document text
    • https://cdn.sqhk.co/noperizapewo/iihcsps/stranger_chat_anonymous_chat_app_download.pdfIn PDF document text
    • https://wokopapun.weebly.com/uploads/1/3/5/3/135388848/kixowe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366035/normal_6014c09b691ab.pdfIn PDF document text
    • https://bitusuverutito.weebly.com/uploads/1/3/1/8/131871453/nalixel.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378160/normal_603d747200350.pdfIn PDF document text
    • https://cdn.sqhk.co/jejekije/HzjaYUc/gigaparsec_to_light_years.pdfIn PDF document text
    • http://hook-up.fun/tegutok3ez2h.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410730/normal_604e8fec41720.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369905/normal_60245a25d1a25.pdfIn PDF document text
    • https://cdn.sqhk.co/vugomupuzisa/hgXvLje/25868697614.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4413575/normal_5ff291a85d4a8.pdfIn PDF document text
    • https://wojaduzojipoj.weebly.com/uploads/1/3/4/4/134467580/lemexazer-lofot.pdfIn PDF document text
    • https://cdn.sqhk.co/dupeguwova/ia4H9uN/party_city_costumes_for_kids.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.fontrix.comhttp://www.nhncorp.comIn PDF document text
    • https://s3.amazonaws.com/xujitezu/waldorf_curriculum_chart.pdfIn PDF document text
    • https://s3.amazonaws.com/pusolefosex/40312707218.pdfIn PDF document text
    • https://s3.amazonaws.com/gedimuta/pewesonasorumuwemekup.pdfIn PDF document text
    • https://s3.amazonaws.com/supefujoxopubu/non_religious_wedding_ceremony_script_funny.pdfIn PDF document text
    • https://s3.amazonaws.com/juzowilipi/ielts_listening_exam_answer_sheet.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001015d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1015D 5804 bytes
SHA-256: 5919dadcc7ea5adb5f402e19f3c2e7af2c2a418a63310093dad2829bbc062c82
font_01_sfnt_off00011476.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11476 14144 bytes
SHA-256: c9111955f7ed33909d4948842054ec1eace8c9c5ca3bce808afc011dded14fe8
font_02_sfnt_off00013ebe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13EBE 2072 bytes
SHA-256: 9694f1dd22230d2bd019691d6045c1608fe576088d4789ec8d7661b4e8256c88
font_03_sfnt_off000147bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x147BF 16452 bytes
SHA-256: aa51163359159a66f93d9d13bb5de1016a2aff42b491b6752e184a76070f3970

Open this report in the interactive analyzer, or submit your own file for analysis.