Malicious PDF — malware analysis report

Static analysis result for SHA-256 953751aa340a172c…

MALICIOUS

PDF

75.7 KB Created: 2021-03-04 13:46:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4e84296e47527db72339605fd74bc23 SHA-1: acd694dcff8e39e2e6c827560566ae8cd22a8541 SHA-256: 953751aa340a172c1f4dc8f241410884ab4e914f41cdb1f8ce69685be8336ff7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains a large number of external links, with one prominent URL pointing to a suspicious domain that appears to be part of a link farm. While no scripts were explicitly extracted, the PDF structure and the presence of numerous external URIs suggest an attempt to redirect users to potentially malicious content or phishing sites. The document body is heavily obfuscated, preventing a clear understanding of its direct lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=awesome+tanks+3+unblocked
    • https://static.s123-cdn-static.com/uploads/4527108/normal_5ff0e41c2158e.pdf
    • https://cdn.sqhk.co/ravuviwidi/Jhfzidm/free_olympic_logo_png.pdf
    • https://cdn-cms.f-static.net/uploads/4422161/normal_5fd647ce04ce3.pdf
    • https://static.s123-cdn-static.com/uploads/4388841/normal_5fcbca2cd474a.pdf
    • https://cdn-cms.f-static.net/uploads/4405419/normal_603abb5e09684.pdf
    • https://cdn.sqhk.co/doxelatofon/bhcbHjf/doune_castle_scotland.pdf
    • https://cdn.sqhk.co/wanoziku/FqUahbY/92642647120.pdf
    • https://kolidazab.weebly.com/uploads/1/3/4/6/134663239/lubuzedolunozopitov.pdf
    • https://cdn.sqhk.co/lilaxikixo/hfifjgP/wusozugefixopaligojusajex.pdf
    • https://cdn-cms.f-static.net/uploads/4412583/normal_5fd7c2bd855dc.pdf
    • https://ribiridoxa.weebly.com/uploads/1/3/0/8/130874248/ac943f9b7f3c.pdf
    • https://cdn.sqhk.co/nujidegowupi/6Yiql7h/motoxibefolegajozek.pdf
    • https://cdn.sqhk.co/genopeno/7hamnmG/best_caption_for_group_photo_with_friends.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/af1a6dfa-fae7-4f5b-ba99-178e02747360/new_maze_runner_book_2020.pdf
    • https://uploads.strikinglycdn.com/files/ee995288-dda0-4bd7-b4be-b85a04e75093/70641828179.pdf
    • https://uploads.strikinglycdn.com/files/aed2651c-326d-4403-b5aa-fc1f34514285/motorola_sbg6580_wmm_settings.pdf
    • https://uploads.strikinglycdn.com/files/9ac3f88d-086e-43f6-989e-2883067405a7/pigefalebigoseru.pdf
    • https://uploads.strikinglycdn.com/files/5dd48efe-c983-4145-9718-909ec7df50e2/sonetipi.pdf
    • https://uploads.strikinglycdn.com/files/9845faed-6a2f-4a03-8210-05ff3083977d/how_to_add_website_to_wix_blog.pdf
    • https://uploads.strikinglycdn.com/files/05d96a7f-95dc-49da-9966-cb97bd72fdb4/13069820130.pdf
    • https://uploads.strikinglycdn.com/files/e16b1c1b-6e79-4936-a4bc-f2b1262cab5f/jesus_was_an_only_son_bruce_springsteen.pdf
    • https://uploads.strikinglycdn.com/files/41ddcfc4-5af5-40bb-9a5a-58af9a21760c/icd_11_classification.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e356.bin
38bc7e9717ebe20d67bbaebd4b4b94415da4d74e8c0ff2f76bf645a3b3e9e3a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE356 5440 bytes
font_01_sfnt_off0000f5cc.bin
daad3f347a4f42f432ee9983e619a7c063e36761dba5934b469418034847e28e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5CC 1800 bytes
font_02_sfnt_off0000fe5a.bin
355995faa8c59b2517921a4c2492e58c144a63ae2457a06f103241669162c8d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE5A 10080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.