Malicious PDF — malware analysis report

Static analysis result for SHA-256 907b87aa62d526e5…

MALICIOUS

PDF

91.6 KB Created: 2021-04-20 18:47:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b70db6a8f64cbc59bcb37b95ecfafa59 SHA-1: ddc42d6720121088d481f256e77bf0eb921acf36 SHA-256: 907b87aa62d526e578c624e45f22db799c8103b92fb35fca998284440a124e57
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. The primary URL points to a domain that appears to be part of a link farm, and the ClamAV detection 'Pdf.Phishing.Trojan' further suggests malicious intent. The document body is heavily obfuscated and unreadable, but the presence of numerous external links indicates an attempt to redirect the user to potentially malicious or SEO-abusing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=antiderivative+of+cos%2528x%255E5%2529
    • https://jupedarer.weebly.com/uploads/1/3/2/8/132815187/sufup.pdf
    • https://cdn.sqhk.co/xurajalijok/ifhfiiS/skooler_parent_login.pdf
    • https://ronunafo.weebly.com/uploads/1/3/1/8/131856498/65991b.pdf
    • https://zenijubam.weebly.com/uploads/1/3/4/8/134884092/3982982.pdf
    • https://cdn.sqhk.co/sefibenip/ajfEgiV/business_strategy_interview_questions_answers.pdf
    • https://gagebopa.weebly.com/uploads/1/3/6/0/136051288/ninok_togorenimi.pdf
    • https://depasosuva.weebly.com/uploads/1/3/4/4/134483816/gosivowowan.pdf
    • https://cdn.sqhk.co/laxuweredex/iegh3CI/donamejus.pdf
    • https://cdn.sqhk.co/vomuvojovi/chb7a1O/just_dance_now_apple_tv_review.pdf
    • https://cdn.sqhk.co/binebelezux/jjkCida/wrecking_ball_miley_cyrus_mp3_song_free_download.pdf
    • http://vavawosasote.iblogger.org/govanobubasaxigememu.pdf
    • https://cdn.sqhk.co/rorazelesu/TieKbcg/37074560778.pdf
    • https://cdn.sqhk.co/buvovemif/gdrhg2j/thinking_in_java_book.pdf
    • https://cdn.sqhk.co/luwesefizi/0e6jeI3/hidden_valley_resort_phillips_wi.pdf
    • https://xeluluferira.weebly.com/uploads/1/3/4/2/134266649/semexiradewifiw-janebej-nupigeno.pdf
    • https://bovuzujavus.weebly.com/uploads/1/3/5/3/135326818/1561051.pdf
    • https://zuzesewijolane.weebly.com/uploads/1/3/1/4/131406438/3935520.pdf
    • https://vosovijuz.weebly.com/uploads/1/3/0/8/130813614/ddd362c9b1a49c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://jezirateba.rf.gd/is_the_shark_vacuum_any_good.pdf
    • https://s3.amazonaws.com/gudukupir/what_are_the_a_b_buttons_on_roku_remote.pdf
    • https://s3.amazonaws.com/ronatiduzoxij/video_cutter_app.pdf
    • http://zabidogadifosis.rf.gd/54368502007.pdf
    • https://s3.amazonaws.com/biwuwukesazef/masigedatiler.pdf
    • https://s3.amazonaws.com/pidufozu/charities_registration_form.pdf
    • http://rusuxagek.rf.gd/zidaxalo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010f3a.bin
66a15e49aec4270d1e8cf44e82d0f86cb1ccb45fce98792c60ed5090c996c089		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F3A 5428 bytes
font_01_sfnt_off000121e9.bin
6609d454642966020de9405024ce7f7b52e2d852e1bc0e1949a0b1231afa20b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121E9 12232 bytes
font_02_sfnt_off00014bec.bin
28c03bcf599e3456f71dbda7a9940e8017c4b7a6e15fdbd9d4eba8bfcd1a11e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14BEC 16064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.