Malicious PDF — malware analysis report

Static analysis result for SHA-256 91576f82abbce256…

MALICIOUS

PDF

87.2 KB Created: 2021-04-29 09:44:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1661d7848ce7e83a0118c703d9892b14 SHA-1: 3effe52f986869abb16b6758a340b5b190b4c65a SHA-256: 91576f82abbce2569243b4c89a35a3180f70e1478b82db9adae6d82d9cebcfaf
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, suggesting it is part of a link farm designed to direct users to potentially harmful content or for SEO manipulation. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic strongly support this attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=peter+drucker+quotes+on+leadership+and+management
    • http://cparta.moscow/diccionario_filosofico_online_ferrater_mora5dqqe.pdf
    • https://cdn.sqhk.co/xuzalolotagi/idjbj0N/organometallic_chemistry_exam_questions_and_answers.pdf
    • https://cdn.sqhk.co/fekigimuzib/2Pa3icX/redsun_rts_premium_full_apk.pdf
    • http://artyom.guru/temexudafbs6q.pdf
    • https://cdn.sqhk.co/vafodagusun/ha1iijh/80018928299.pdf
    • https://cdn.sqhk.co/boxewemutox/hialBM7/current_stock_price_royal_caribbean_cruise_lines.pdf
    • https://cdn.sqhk.co/bijilixiger/GIigLT8/bubble_tea_emoji_huawei.pdf
    • https://cdn.sqhk.co/luwiwaduna/TzxjeUT/survival_guide_magazine.pdf
    • https://cdn.sqhk.co/sogefuluf/ibgiHOb/dekuzafoxuzedumudutudexal.pdf
    • https://cdn.sqhk.co/pitekofotada/b1W6jeo/descargar_textra_sms_apk.pdf
    • https://cdn.sqhk.co/lopijikuvi/qbIGhid/26782835714.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e5390371-1817-4012-af2a-c5d95043166f/28331329548.pdf
    • https://uploads.strikinglycdn.com/files/0efab148-6096-4a1c-98da-ccb4c7a77cca/star_wars_the_visual_encyclopedia_download.pdf
    • https://b5526579-b22d-45a0-8251-9885a72cf3eb.filesusr.com/ugd/0cd019_7f21a5d5a1744bda9b7cab1bf46c5059.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8c44a473-2be2-44ed-924d-5983b0f8e511/4_major_bodies_of_water_in_texas.pdf
    • https://uploads.strikinglycdn.com/files/72f667cd-f06b-46f1-b501-0425203373c7/pateravutevikenej.pdf
    • https://3c1ad7ec-bfc7-452d-a92a-0d22078d3251.filesusr.com/ugd/c6e823_9dd50c1cf5df4cee98f8e1c9afedb161.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a79080a0-158d-4bb7-8426-afbbdae29888/nikon_buckmasters_ii_3-9x40mm_bdc_reticle_riflescope.pdf
    • https://uploads.strikinglycdn.com/files/151db217-c0c1-4c6a-ac4d-762ed8d0f58f/fapixi.pdf
    • https://58eafb2e-ea74-4523-a1b2-d2e0fe9bfe54.filesusr.com/ugd/466fa0_70be286c6aec442f9cb89166fb995f9c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c87799ee-6d08-44d1-a634-82b6acd1a241/4_types_of_secondary_manufacturing_processes.pdf
    • https://uploads.strikinglycdn.com/files/c3d90987-825c-455d-9140-d04718e495d7/passion_-_in_christ_alone_official_lyrics_and_chords_ft._kristian_stanfill.pdf
    • https://uploads.strikinglycdn.com/files/4a2093fe-cf5a-4809-976f-509022548ae7/31884536142.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001182f.bin
16413c84a91a764bc335a6faaafea08081a7944cd168ce76f45581a1f584c1e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1182F 5680 bytes
font_01_sfnt_off00012b4e.bin
68909954a47742be2d7988034490a9d238eb30bd882f952f96e34c352589f8a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B4E 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.