Malicious PDF — malware analysis report

Static analysis result for SHA-256 94e3a1d899959e41…

MALICIOUS

PDF

89.6 KB Created: 2021-03-15 14:18:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c271d2a0f0427429b68766130985a28 SHA-1: ceece1d7c81b94019e2ec2e68e9bfec2a99f0fc8 SHA-256: 94e3a1d899959e416ac9678906c8182c548f4fb057f546fb7de533e26045c985
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many of which are associated with SEO link farms, indicating a malicious intent to redirect users to potentially harmful websites. The ML classifier and ClamAV detection strongly suggest this PDF is malicious, likely a phishing or malware distribution lure. Although no scripts were explicitly extracted, the PDF structure and numerous external URLs point towards an attempt to exploit users through deceptive content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=tabela+brasileiro+serie+a+2020+pdf
    • https://nufapapezo.weebly.com/uploads/1/3/0/9/130969462/71c07f79.pdf
    • http://evatopshop.xyz/jetimowabnacg.pdf
    • http://belplitka.ru/508129082844ynca.pdf
    • http://cleaner360.shop/caracteristicas_de_las_semillas_dico0ru68.pdf
    • https://fumasidabufip.weebly.com/uploads/1/3/0/7/130775820/wamopikofedaro.pdf
    • https://nuvosukive.weebly.com/uploads/1/3/4/7/134718285/fekivo.pdf
    • https://towowiwegopute.weebly.com/uploads/1/3/4/0/134019464/sozizupelu_maguferij_jirafotudapi_wawulasiv.pdf
    • http://load-bcp.com/blacksmith_hammer_wow_classictta1m.pdf
    • http://bosnoslovnoejelaniekupit.xyz/gigemudesejkriwg.pdf
    • http://ecoservice-vlad.ru/lozatikcr24o.pdf
    • http://natur-bio.space/traguese_ese_sapo_audiolibroe1h0h.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://de99934f-f465-4d69-af5e-14f317c0a7c6.filesusr.com/ugd/4fea5c_d1b64f3f8bdd4fb78ea7d557a8de9437.pdf?index=true
    • https://917ed8d3-8a9f-4c5c-a3ad-554e533308ad.filesusr.com/ugd/a4e402_28a7f668b7104a049cf74bfd781f4b66.pdf?index=true
    • https://dd3528e8-ded0-4753-843e-0d3cb9f542e7.filesusr.com/ugd/4d6844_da9462362262463ea1a3a68b59fa4ce7.pdf?index=true
    • https://c3e810f9-371e-40b9-9a0b-4695a496ec77.filesusr.com/ugd/2c7c49_ec44dc700fd644dd9b4d34ab30af0b04.pdf?index=true
    • https://6440a9f6-5e82-4153-977b-4ffe9374ec4a.filesusr.com/ugd/7182f3_5e3b6b411da44063b1c5853cfe1b37b7.pdf?index=true
    • https://83d12552-0bc1-4415-b221-1da25caacb9b.filesusr.com/ugd/1e11d0_a4d979462d3e4feb97bb130d5facb937.pdf?index=true
    • https://ec679cc6-872a-45a8-b2fd-b1bc8f6ddb77.filesusr.com/ugd/d1d005_48fa8a2cd1714846b097eebd515299f3.pdf?index=true
    • https://a84030a7-2e48-4039-807a-383e2b7216cc.filesusr.com/ugd/c5d40f_0706a46dc4774246bf4daefbee673767.pdf?index=true
    • https://89e5ed4a-33eb-42a6-b5f1-9fc07ea1e15b.filesusr.com/ugd/ff68bb_1bf4b3b4221540aca079f035ce5fc28e.pdf?index=true
    • https://bb74f61c-7045-47bf-9a7e-968101ee373e.filesusr.com/ugd/81ef4b_373b1c98294a40efa177e707fbc4c0fa.pdf?index=true
    • https://8f0c9b82-9570-4081-bbb7-5e23a534ea09.filesusr.com/ugd/7008f3_86d54a2921df49be9e040a718aea6d86.pdf?index=true
    • https://299bc67c-4c9a-44ea-852c-18f2d39dca40.filesusr.com/ugd/954c8b_3b34886a9a9a49b2809bea01dbfab19b.pdf?index=true
    • https://de7eff9d-5c50-4122-bb99-ee112abf7a8f.filesusr.com/ugd/db8f21_8fde63e6163242eab8f64fbb195781a1.pdf?index=true
    • https://86908e24-11f3-43a1-9346-bf531f45ee0b.filesusr.com/ugd/97493d_e53ac040ea924772baee2f394341972e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011b12.bin
32540797a64ae421bfcc603070abdc9f1746606fbd4ae748a662061f25a96e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B12 5400 bytes
font_01_sfnt_off00012d71.bin
faae0f94a5fb087e276522a55b6254812d7725d919fbd6fe90d6622e7282877b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D71 14348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.