Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d2b1ab21a44dd04…

MALICIOUS

PDF

81.7 KB Created: 2021-03-20 07:12:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 145c2beda3a68de4ee94ca50fd43e220 SHA-1: 7bdb78d865a335dde449ce01b4e953ebddd0d10f SHA-256: 9d2b1ab21a44dd04ca9c27f9ebfe9661cb3d9d92286ae45f7d7b87e226e359c4
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDF files, suggesting a link farm or SEO manipulation tactic. The presence of a download button lure and a high ML score further indicate malicious intent. While no scripts were extracted, the PDF structure and numerous external URLs are indicative of a phishing or malicious content distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=unit+5+study+guide+world+history+answers
    • https://static.s123-cdn-static.com/uploads/4406777/normal_5ffb9ec83ebb3.pdf
    • https://static.s123-cdn-static.com/uploads/4484355/normal_5fc8a1dadc0a3.pdf
    • https://static.s123-cdn-static.com/uploads/4422627/normal_5ff5e22938224.pdf
    • https://cdn-cms.f-static.net/uploads/4450256/normal_60502a8258f1b.pdf
    • https://cdn-cms.f-static.net/uploads/4486742/normal_6031b80786f2e.pdf
    • http://sufaxaviko.22web.org/kalender_2020_indonesia.pdf
    • https://cdn-cms.f-static.net/uploads/4469136/normal_603775ab34c85.pdf
    • https://cdn-cms.f-static.net/uploads/4453901/normal_5fe709b32d1dd.pdf
    • https://cdn-cms.f-static.net/uploads/4415769/normal_5fdb379e7ec45.pdf
    • https://static.s123-cdn-static.com/uploads/4492245/normal_5ffb59b5575be.pdf
    • https://cdn-cms.f-static.net/uploads/4470016/normal_5fdbdf3fc2f69.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9387bd13-3746-4408-b474-2867f26e464d.filesusr.com/ugd/ace02d_f0935594fcba43d9a530a0cee00000af.pdf?index=true
    • http://roxewew.epizy.com/bfs_full_form_in_texting.pdf
    • https://9c12218e-e157-4070-b33f-4467b3cb42bb.filesusr.com/ugd/0c60a0_ef05ca22d2164f989eb1876900aaf633.pdf?index=true
    • https://da5bec28-7969-4117-8ffb-5069fce5e80c.filesusr.com/ugd/31593d_ee8bf99d3a25407bb9e907118e354b6a.pdf?index=true
    • https://b70645e9-42d7-44c6-80f2-f165c8819e8d.filesusr.com/ugd/3f1130_e337a319bb1549878ad404c716ab3011.pdf?index=true
    • https://6200e599-3f2f-4e3e-ab45-e6977ed7e777.filesusr.com/ugd/f8de3e_22ffab343c894715b2daab420ff4b0a0.pdf?index=true
    • http://xelidamos.epizy.com/56344349209.pdf
    • https://63aa7d51-6c54-48cc-ac87-b710a0da19c3.filesusr.com/ugd/c8d394_18c61368c349449697b6f3cd95d80be4.pdf?index=true
    • https://d102a0f2-001f-4998-bb0a-88ac30ac05b5.filesusr.com/ugd/771ea4_aef55c2662fe4e469e6001e649c3c676.pdf?index=true
    • https://41c240d9-b4af-4f88-8fa4-2a41cce3a287.filesusr.com/ugd/01bc73_dbe3fa96830f4d569b6059cbe8f19168.pdf?index=true
    • http://mirabawuwoku.epizy.com/guseruwixevumadoxude.pdf
    • http://tiribopur.rf.gd/78181563945.pdf
    • https://7a48fde5-f9d1-4ce4-84a2-8b156d245d18.filesusr.com/ugd/8127dd_fff7b5326da7488a8553589e2d847c34.pdf?index=true
    • https://02408c19-b9f6-4996-a596-1d5b7e46c8d3.filesusr.com/ugd/c83fdb_bf49e8aa98304a879039b906751648ef.pdf?index=true
    • https://170a7d3c-74f0-42f5-9ead-98ae292a4922.filesusr.com/ugd/a18aa6_fb04d15496c147cb8a8ffa8872b03ecd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fede.bin
bf74c13f4200f0a0d9a3311650060729086c1c4b442c8e84906357261b0b94a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEDE 5396 bytes
font_01_sfnt_off00011148.bin
5157a5c60b56af1ad00c7da9e0a540562fdecfd44b101a72554a5fcedb12e162		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11148 11620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.