Malicious PDF — malware analysis report

Static analysis result for SHA-256 84d77bc8435f5ba7…

MALICIOUS

PDF

79.1 KB Created: 2021-03-13 19:59:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 30cf41d420dcc85bb326810d413ed9a7 SHA-1: 59ef9dce83ad6147553a4c1cfc194ca92cb59fd6 SHA-256: 84d77bc8435f5ba79ddb25c96737afda4113996598e8038e193e65e5075b14d9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was identified as malicious by multiple heuristics and an ML classifier, indicating a phishing or malware distribution attempt. The document presents itself as a search result for a book, likely to trick users into clicking embedded links. The presence of a large number of external links suggests a link farm or a mechanism to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=amulet+book+1+read+online+pdf
    • https://zofekumu.weebly.com/uploads/1/3/4/7/134741387/5675654.pdf
    • https://jubabanijawema.weebly.com/uploads/1/3/1/0/131070146/5759693.pdf
    • https://cdn.sqhk.co/jivazufevi/eUjcygf/47720252354.pdf
    • https://kabibejago.weebly.com/uploads/1/3/6/0/136050231/fba0bebebf4.pdf
    • https://kigolakelo.weebly.com/uploads/1/3/1/3/131380934/larel.pdf
    • https://niladituzisum.weebly.com/uploads/1/3/4/7/134736231/d755cde9ac4bd.pdf
    • https://cdn.sqhk.co/businaxidare/jdYyFie/gangs_of_london_cast_episode_3.pdf
    • https://cdn.sqhk.co/miburixegapu/fjgIgh9/72538701813.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://xomawerowikevof.rf.gd/crack_sketchup_pro_2015_64_bit_free_download.pdf
    • http://nelojodopon.epizy.com/zubufimiwukirepolezafas.pdf
    • https://748f1d53-d141-46c1-926a-d14fc69713a3.filesusr.com/ugd/e3ed1f_a334d9e3aa404fd597dca24ccbdcbbbe.pdf?index=true
    • https://7c8f45b7-e058-4e27-bccd-8ee7dcb26900.filesusr.com/ugd/d5cf39_d8b6b2caffa942c3bf947af5161b5772.pdf?index=true
    • https://uploads.strikinglycdn.com/files/efa8b63f-44db-4232-874d-0da34bb250e6/81181824045.pdf
    • https://f06ae689-34e6-4fd9-b749-a5985747e370.filesusr.com/ugd/4117a9_7b3762a9315148848c6b10e233e57863.pdf?index=true
    • https://5a8aee2d-3d68-4c09-98ed-743c9c56d6fd.filesusr.com/ugd/460efe_33886625523b441f953605cfbe8f6528.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dbbcc1ff-c251-4f91-a0a1-fdd4c2a647f3/apple_ipod_video_30gb_battery_replacement.pdf
    • https://f8340159-69ce-4309-ac43-521e9a8475b4.filesusr.com/ugd/bc0b97_0c135ef005494fe5a1a315bca7c1887a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6bc6cc16-a50d-4cc1-a3dc-00d0c8a21401/rowoxidikafebutame.pdf
    • http://gogufujupi.rf.gd/top_sound_booster_for_android.pdf
    • http://tijetefewojo.epizy.com/canasta_familiar_en_bolivia_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec42.bin
8ee6bf63b95c2eb84bf7edfa50c1668fdc3a604a0c017a547dbbaf794686028d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC42 5136 bytes
font_01_sfnt_off0000fd9f.bin
289874a92646ef8fdd5519b6c8a0240034ee1d162a9883a72ab47168966f52d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD9F 10480 bytes
font_02_sfnt_off0001214a.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1214A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.