Malicious PDF — malware analysis report

Static analysis result for SHA-256 9828d71c764feb37…

MALICIOUS

PDF

84.7 KB Created: 2021-06-01 02:31:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 84ee1ce16e4ea8012f83a477cde2516e SHA-1: 2039ad95e18e6a76c12063a6bead6a8a968ca4b1 SHA-256: 9828d71c764feb37918582f0d475d5f65ac40ea3643bf3bb7bb12342bc5d71e3
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics reveal it functions as a link farm, containing numerous external URLs pointing to other PDF files hosted on disposable domains. This suggests a tactic to manipulate search engine results or distribute further malicious content, potentially leading to phishing or malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/pbw?utm_term=how+do+you+remove+a+battery+from+a+riding+lawn+mower
    • https://susenuvow.weebly.com/uploads/1/3/4/8/134883676/5451198.pdf
    • https://judozolu.weebly.com/uploads/1/3/1/4/131407514/327ac1718.pdf
    • https://cdn-cms.f-static.net/uploads/4415531/normal_600ef5740667b.pdf
    • https://gedikitol.weebly.com/uploads/1/3/4/9/134901051/tilivoxerazukijusoru.pdf
    • https://cdn-cms.f-static.net/uploads/4404520/normal_604bcaf28c9e2.pdf
    • https://nanuvofekoredam.weebly.com/uploads/1/3/5/3/135385966/4654741.pdf
    • https://static.s123-cdn-static.com/uploads/4366351/normal_5fdce37528f9b.pdf
    • https://cdn-cms.f-static.net/uploads/4416153/normal_602b018383926.pdf
    • https://jeluxipofike.weebly.com/uploads/1/3/4/4/134490416/wizobazigosanoperik.pdf
    • https://padipemoton.weebly.com/uploads/1/3/0/7/130739419/9153229.pdf
    • https://nonovobuzodeku.weebly.com/uploads/1/3/5/3/135348203/kafatonogunuto-sepamuxojegob-besutitovofirak-rixop.pdf
    • https://fizijoju.weebly.com/uploads/1/3/0/8/130814030/sifopalobujuxefakaz.pdf
    • https://cdn-cms.f-static.net/uploads/4383149/normal_5fd333dc69277.pdf
    • https://robavefozaxun.weebly.com/uploads/1/3/4/3/134379548/xavefulisemuvu-paruwotela.pdf
    • https://cdn-cms.f-static.net/uploads/4487007/normal_601da7e80bce2.pdf
    • https://porukugo.weebly.com/uploads/1/3/1/3/131380087/devudebuxubila_safonof.pdf
    • https://lewixukulir.weebly.com/uploads/1/3/1/6/131606807/4146053.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zikupuzajix.pbworks.com/w/file/fetch/144431247/new_balance_md500v6_running_spike.pdf
    • http://funinupun.pbworks.com/w/file/fetch/144424884/density_of_aluminum_foil_in_g_mm3.pdf
    • http://giresizuloki.pbworks.com/w/file/fetch/144432279/41110161410.pdf
    • http://xojifot.pbworks.com/f/dopotikixexot.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010c11.bin
47fe610e00d746c30cfba6cb3531728c59e0a48f15063ec3fcd6adfa43046ee4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C11 5404 bytes
font_01_sfnt_off00011e79.bin
0beb845387cdf2572ad55d847f3f078dce968641be25c6431873fd4b7123e691		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E79 10812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.