Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c4252c18243fef9…

MALICIOUS

PDF

80.4 KB Created: 2021-04-07 07:57:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 284595712e3cddf19f350ca106f7b330 SHA-1: e823e7183cfd7a572783e591c1611b78b28d64dd SHA-256: 9c4252c18243fef9c17ecd4349f923719b4521f85e66d66dff13009ad935c7f2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, suggesting a malicious intent to manipulate search engine results or redirect users to malicious sites. The ClamAV detection and ML classifier strongly indicate this is a phishing or trojan PDF. No scripts were extracted, but the PDF structure itself is indicative of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=foods+that+fight+cancer+pdf
    • https://cdn-cms.f-static.net/uploads/4451023/normal_602428f1a88ab.pdf
    • https://cdn.sqhk.co/zowonefaso/BUEhhje/78947373919.pdf
    • https://static.s123-cdn-static.com/uploads/4453575/normal_5ff71817461d9.pdf
    • https://cdn.sqhk.co/xonipavu/isZR7ii/airport_utility_5._6._1_high_sierra.pdf
    • https://static.s123-cdn-static.com/uploads/4367289/normal_5fdef19594eb7.pdf
    • https://cdn-cms.f-static.net/uploads/4450628/normal_6012966f2ca83.pdf
    • https://cdn.sqhk.co/jupumezu/jcggyoM/plantuml_class_diagram_template.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b5526579-b22d-45a0-8251-9885a72cf3eb.filesusr.com/ugd/0cd019_3e9fbba8d2114f088a3dd6d65fcd07f9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b1aa463f-fec6-409a-bc9b-30a6a06ae91f/95255361548.pdf
    • https://f635e5d9-31b1-4f19-b758-7a623be10181.filesusr.com/ugd/6cf0f5_0c8bffa5e1294465a175cfd715b761bf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1cefefee-c237-49bc-bb2e-843da8d7fde5/directv_genie_mini_not_responding_to_remote.pdf
    • https://uploads.strikinglycdn.com/files/07f15f9e-585e-4b42-9cd7-5f10344cf82e/how_is_stephen_hawking_able_to_communicate.pdf
    • https://uploads.strikinglycdn.com/files/aa7d6601-b90c-4915-9f41-4b976fd2b581/what_to_put_in_a_time_capsule_with_your_best_friend.pdf
    • https://2172aa7b-56d6-4bcb-a12f-aafeda7c7725.filesusr.com/ugd/0d9129_1023889f396449418096c47b0de93ad2.pdf?index=true
    • https://170a7d3c-74f0-42f5-9ead-98ae292a4922.filesusr.com/ugd/a18aa6_84732e4fe823444a9e83d8301c284b6d.pdf?index=true
    • https://b36ad067-21ef-4b17-9055-1dfcbb3fb98c.filesusr.com/ugd/8673ad_3b3ace1b5a944bf5bcd375ad58bbe423.pdf?index=true
    • https://f37c3615-20b0-4e70-b1e7-2acf34113780.filesusr.com/ugd/1e533a_4e95f8678ca944208418cbebe30b5dfe.pdf?index=true
    • https://6632aaff-1fe9-4f1d-acb3-7d444e457837.filesusr.com/ugd/ce4b7c_7ad82ee9e5114df2a49172cea8997dcb.pdf?index=true
    • https://eb40363d-1d1f-4170-a897-f23f0f433116.filesusr.com/ugd/2a1429_82d2675f41144428ab89ac575799cfa8.pdf?index=true
    • https://21e323bd-7fdd-46e9-a6c7-4880e76d7610.filesusr.com/ugd/0a51c1_6561fe6d9d7040dc9449702ee0b22db6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fafd.bin
89745b58f5e0afcdf0d6bac0dbefedc8bd981b48af376c546b390d0a75d6039e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAFD 5340 bytes
font_01_sfnt_off00010d2b.bin
b944bd2965e488521cf0c3a95c56b261d30d4795ec76d7fb6da5240e8bfa1b0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D2B 11400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.