Malicious PDF — malware analysis report

Static analysis result for SHA-256 8cdab0439edfdfa4…

MALICIOUS

PDF

80.6 KB Created: 2021-03-23 21:41:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b3e94894b8f5eb39cf38f996ee5ea8eb SHA-1: 7ab07048e1e4cfae71778ed70055d3d91b9997d1 SHA-256: 8cdab0439edfdfa4edef14b3926049e1b1b47c0a0461539c065833730771b7c8
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded links, identified as a link farm, with a primary URL pointing to a weight loss topic. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware distribution. The heuristic PDF_SEO_LINK_FARM suggests the document's purpose is to generate traffic to external sites, potentially for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=weight+loss+b+positive+blood+type+diet+food+list
    • https://jufozawuvinuxak.weebly.com/uploads/1/3/5/3/135326647/6315890.pdf
    • http://yellownatural.space/genopi4y35r.pdf
    • http://zathkatow.xyz/who_makes_earth_stoves3jzgh.pdf
    • https://ferutijuze.weebly.com/uploads/1/3/1/8/131856408/6476f87264.pdf
    • http://pushbiz.fun/fitafidoz4.pdf
    • https://borerejo.weebly.com/uploads/1/3/4/0/134040615/xasinowilagol.pdf
    • http://rm-swis-mine.com/496915393440hl4t.pdf
    • http://dfwshootersupply.com/opposite_words_in_marathi_downloadz79ig.pdf
    • https://sijudunewofas.weebly.com/uploads/1/3/4/6/134696620/5379183.pdf
    • http://idealica-columbia.site/73902855738ukojj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6c036dbd-b327-4678-b778-de8a2ee7bb50.filesusr.com/ugd/ed64d2_cf56ff62bf284c349b7c02dfbe85c8e8.pdf?index=true
    • https://s3.amazonaws.com/fibesezati/apple_user_interface_guidelines.pdf
    • https://s3.amazonaws.com/mukut/outlining_a_story_worksheet.pdf
    • https://2e03c77f-99cc-4591-9807-54d8d49c9ce6.filesusr.com/ugd/759733_b288cc9cf28a4c0aa9f51ddaaa1e128c.pdf?index=true
    • https://6f672a44-e16c-4921-a0f1-e3781c0647c5.filesusr.com/ugd/bda22a_e8e23258d75d408c9d5107ef31035abf.pdf?index=true
    • https://f64a1a0a-debf-4843-a838-a34c0cae0f4a.filesusr.com/ugd/89602e_062ac8bfaa3c4d66b01dd66ea42a1b64.pdf?index=true
    • https://952d9f4b-853a-4e85-af28-23c4d489d487.filesusr.com/ugd/8db125_5fbae6dbb8c34b9e9d1e5b927c1e520f.pdf?index=true
    • https://3d1db4d0-c196-4dd3-8d5c-bb108cafbd43.filesusr.com/ugd/479e38_514c849939b34e6cab4172057bc440c6.pdf?index=true
    • https://17c3d818-7f64-4152-976a-2fa997d7a7be.filesusr.com/ugd/e2c250_b7d2fc380f1e44378764dd7335003e0b.pdf?index=true
    • https://ebcfae26-b4e4-4f1a-a5b2-c5bdbddc1bdf.filesusr.com/ugd/259f90_69eecec611004c7e8ff5e345b2f5ddc7.pdf?index=true
    • https://s3.amazonaws.com/goviwigax/tofeteroroxarilotifolas.pdf
    • https://s3.amazonaws.com/fofeguj/81001253859.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc97.bin
a9c21824c5b5a122ee60a3f75c20ab687830fd530c6fbdf1cfbb113cce5e5446		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC97 5312 bytes
font_01_sfnt_off00010ec1.bin
3b3649c5f26d2e191b335549dfe9eb1b9736ad4bf36589cb0d4aa28b2da890fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EC1 11208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.