Malicious PDF — malware analysis report

Static analysis result for SHA-256 99d924084bd439f7…

MALICIOUS

PDF

83.4 KB Created: 2021-03-28 00:42:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2af1f0f56b1b4d24ae68c082badec3c0 SHA-1: 7b09071201e7eb5e2d6aa6c6ac50164ece3c0898 SHA-256: 99d924084bd439f7fe9fee377a3a328d64b68c857bc172c60725dfb017b70bfa
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying it as a link farm. The primary URL suggests a lure related to a business book PDF, likely to direct users to malicious content or phishing sites. While no scripts were explicitly extracted, the PDF structure and extensive external linking are indicative of malicious intent, possibly involving embedded JavaScript for exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=understanding+business+book+pdf
    • https://pipefedib.weebly.com/uploads/1/3/1/3/131383483/3141386.pdf
    • https://serutoposax.weebly.com/uploads/1/3/5/3/135398922/e0879846e38a0c.pdf
    • https://cdn-cms.f-static.net/uploads/4485313/normal_602c42d509f5d.pdf
    • https://lexutadi.weebly.com/uploads/1/3/4/3/134377716/xuponu-kaxezuluf-ziweso.pdf
    • https://static.s123-cdn-static.com/uploads/4375696/normal_5fcc3be98e0c4.pdf
    • https://static.s123-cdn-static.com/uploads/4483610/normal_5fc61f5982a6d.pdf
    • https://cdn-cms.f-static.net/uploads/4453117/normal_60579744eb636.pdf
    • https://bexatebipedo.weebly.com/uploads/1/3/4/6/134631237/e24f2ff6dc.pdf
    • https://static.s123-cdn-static.com/uploads/4404503/normal_5fc71a6080727.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ab1ff518-4fa0-4ac4-93ec-5ca08dc0e953.filesusr.com/ugd/be19e1_ee65e849316045879a1cb563dd0c507e.pdf?index=true
    • https://4b4b92a8-4ac5-4030-97d5-af0917f8c077.filesusr.com/ugd/0251f0_b220ea62fe73490ea71b4dca02b57b83.pdf?index=true
    • https://s3.amazonaws.com/nazekisigiduz/43981750650.pdf
    • https://4779f2f8-a33e-4327-9c78-21ee0bcf4620.filesusr.com/ugd/31bf02_b259bc3062674fb089c410033f6ecc4f.pdf?index=true
    • https://47c0d0ed-94e3-447f-940a-e265262d053f.filesusr.com/ugd/a43ec6_64fc0567cf844437addae5eb9d196ab4.pdf?index=true
    • https://40ba1f7a-6e91-49bb-bbb8-dfbb40a2bc60.filesusr.com/ugd/22bf55_91720a680afd455794a22c644577a7d7.pdf?index=true
    • https://s3.amazonaws.com/jagux/keystone_resort_grooming_report.pdf
    • https://45e41439-46a4-4c97-84f0-155cfeda4cef.filesusr.com/ugd/9d7ad9_9d9dbfaf6ee34ac586d77d4e565cc171.pdf?index=true
    • https://s3.amazonaws.com/petubapizo/evaluate_linear_functions_worksheet.pdf
    • https://0e098354-e5d1-4afc-9be7-763a70ae5e44.filesusr.com/ugd/ef253e_84047a3db64d4fa89855abfaf46a687c.pdf?index=true
    • https://s3.amazonaws.com/xomudufe/analise_sintatica_e_morfologica_em.pdf
    • https://1618b3f4-dcc0-4047-a816-eeb1cbe43c51.filesusr.com/ugd/a01749_1325e75f077c4a71bcf04d47be6bd800.pdf?index=true
    • https://5634f520-c25d-421d-ab67-3d94505d13cb.filesusr.com/ugd/1b85ab_2e0662c1edaa40d2bf00ac3af44e9eab.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000106e4.bin
3c304266e73bf029d0848c6d4c740dbcfdb778cb3973b629b81bcaf152bf77da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106E4 5372 bytes
font_01_sfnt_off0001193a.bin
6584d761cf61bc1d7c95c085002535f39daf632e0797b66d476cea4fcdbecee4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1193A 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.