Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fc534bd08257298…

MALICIOUS

PDF

109.1 KB Created: 2021-03-13 23:58:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8e450d49b27c840cbb803e9b1d35f033 SHA-1: eaf306345a2c0338758e2f9ec26b4b9e860709e8 SHA-256: 9fc534bd082572989ba1316434394f76fe0371ae387f871547d8141a2ce076f2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are to PDF files hosted on various domains, suggesting a link farm or SEO poisoning tactic to distribute malicious content. The primary URL appears to be a lure for a free textbook download, which is a common phishing pretext. While no scripts were explicitly extracted, the PDF structure and heuristic firings indicate malicious intent, likely involving the exploitation of PDF vulnerabilities or the hosting of further malicious content via the embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=the+compact+bedford+introduction+to+literature+12th+edition+pdf+free+download
    • http://vannabanyavsedela.xyz/kawafexoziniwurur3l6kb.pdf
    • https://wugumelejemumaj.weebly.com/uploads/1/3/5/3/135324079/sojivufejuzuwud-gojike-fuwowi.pdf
    • http://4escam-bot.online/bronchospasme_en_anesthesiehr5hk.pdf
    • https://motanaweda.weebly.com/uploads/1/3/4/3/134316912/3124492.pdf
    • https://kisujaxu.weebly.com/uploads/1/3/0/7/130775962/rusegigufavi_xevoki_wirunavabawavu_feloz.pdf
    • https://sokirokesavosa.weebly.com/uploads/1/3/4/9/134901907/zimefizupugaf.pdf
    • http://kalukoroduro.mygamesonline.org/barriers_of_communication_process.pdf
    • http://stc-l.ru/wirovojinijozad6z3fo.pdf
    • http://ottics.ru/purple_bed_sheetsjhtyr.pdf
    • http://ig-about.net/metisojgb5vo.pdf
    • http://bewizasosu.sportsontheweb.net/dametetakoburazekus.pdf
    • http://delaem-sami.online/2010_chevy_malibu_ratingsg5huz.pdf
    • https://likomajuf.weebly.com/uploads/1/3/5/3/135321460/6805266.pdf
    • http://ledy66.net/pelobulejobebofufiykqyj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4b5f4e46-8b81-4257-bf39-61fc08ba57b0.filesusr.com/ugd/7ea8bb_4bb68928e2aa4907a567f7a4d73026d6.pdf?index=true
    • https://36622f5a-5a1b-41a5-aa98-965156e47ac2.filesusr.com/ugd/804ff6_3cd76c3477ea4cb5b844aed80993fa40.pdf?index=true
    • https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_85c93a0af01a453c99e7ff695b06667f.pdf?index=true
    • https://b5d51143-f34a-4a4f-9265-6917490cb775.filesusr.com/ugd/9f69bd_18309d7d38ff4d96be1bd67809298678.pdf?index=true
    • http://faleferesevo.onlinewebshop.net/arabic_ocr_from.pdf
    • https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_3e0da09e063c41b5aa15b225ff53e063.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000152ab.bin
b8ce58a2cbadde89b66f28615250575c8b83bff3da471d1f70c33f4d49cfcc1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x152AB 5580 bytes
font_01_sfnt_off00016590.bin
41e45733fa2c8f9d16f735fbcee15f36b4690dc8b6eabb330e510aab87158223		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16590 12808 bytes
font_02_sfnt_off00019066.bin
532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19066 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.