Malicious PDF — malware analysis report

Static analysis result for SHA-256 84a3261433ffdd28…

MALICIOUS

PDF

69.2 KB Created: 2021-06-10 16:50:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f25dfa858618616e5b46c47cd79e8040 SHA-1: 7d3d2def08b44d9a66e4070b6fddcd914d2be367 SHA-256: 84a3261433ffdd280fea2fdc3fd2ee511cc34cd48ee01c85f636e90723a5092f
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The heuristics reveal it functions as a link farm, containing numerous external URLs, many hosted on disposable domains like weebly.com. The primary purpose appears to be directing users to potentially malicious or phishing content, leveraging a spearphishing attachment vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/pbw?utm_term=after+novel+online+read
    • https://sozulidalipidin.weebly.com/uploads/1/3/1/4/131437061/jozulubexuratozekeg.pdf
    • https://govopejixaw.weebly.com/uploads/1/3/7/5/137514815/9a9a6ee9e70.pdf
    • https://cdn-cms.f-static.net/uploads/4470543/normal_6039fdc9e23e2.pdf
    • https://wonidajubiput.weebly.com/uploads/1/3/4/0/134017859/befe747f5795.pdf
    • https://cdn-cms.f-static.net/uploads/4459641/normal_5fda41a0d4f37.pdf
    • https://wivetagimogik.weebly.com/uploads/1/3/4/6/134618772/ea26026ae.pdf
    • https://wekijoborumotis.weebly.com/uploads/1/3/4/4/134484899/9aea4beb.pdf
    • https://wimegipovuxu.weebly.com/uploads/1/3/4/3/134373819/d42d9.pdf
    • https://kasesutibut.weebly.com/uploads/1/3/4/0/134017634/fobudizi_kemuxizudin_tiwosekopumevuv_gevewere.pdf
    • https://duzezefoge.weebly.com/uploads/1/3/1/4/131437668/lurefolexefitu-xukiben-rumononadamati.pdf
    • https://cdn-cms.f-static.net/uploads/4366408/normal_6037b96ae97ad.pdf
    • https://cdn-cms.f-static.net/uploads/4455399/normal_6063595e09634.pdf
    • https://cdn-cms.f-static.net/uploads/4448540/normal_60133759548cf.pdf
    • https://cdn-cms.f-static.net/uploads/4378623/normal_6015ff2b9e995.pdf
    • https://wevubajapema.weebly.com/uploads/1/3/5/9/135958203/linur-murulowuto-zanazuxubug-nikufolujiro.pdf
    • https://bimelubisazabe.weebly.com/uploads/1/3/4/4/134492892/fiwumotowew.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zuvuzut.pbworks.com/f/us_dollar_chf_umrechner.pdf
    • https://uploads.strikinglycdn.com/files/c4017d43-b481-40da-b9c2-12d2f0b40f47/14935936524.pdf
    • http://febevolojezu.pbworks.com/w/file/fetch/144827319/26706602406.pdf
    • https://uploads.strikinglycdn.com/files/bdaee117-b152-4da6-981f-842b7a8f5ec1/how_to_set_up_interval_training_on_garmin_vivoactive_3.pdf
    • http://paderukut.pbworks.com/f/fosetafeganaji.pdf
    • https://uploads.strikinglycdn.com/files/f5247f5e-66b6-423d-b42a-1675bea02e82/kenmore_80_series_dryer_issues.pdf
    • https://uploads.strikinglycdn.com/files/5d35fc71-cb8d-4203-afe0-c4c41134fc16/nonarorewuruxir.pdf
    • https://uploads.strikinglycdn.com/files/3c2951c9-ead5-44dd-a872-37c7ddded981/1601251308.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d587.bin
d85d7f7a31e4030bf67628596927272f5d8032df9f46c29ad2dafb1b7e65c5a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD587 4772 bytes
font_01_sfnt_off0000e5db.bin
fc141546f1a1a5901c4508601a3f57e42a4b40eb5f3ee75eeff0b387a0f54bda		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5DB 9848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.