Malicious PDF — malware analysis report

Static analysis result for SHA-256 a04704e1df36140c…

MALICIOUS

PDF

83.2 KB Created: 2021-03-17 05:22:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f86da0777df5713afd2f241c702f24b SHA-1: 71466179342361614f1691e1d95ecbfc72432ac4 SHA-256: a04704e1df36140c7a5334579baad29c4cf21ec97b462282a462c645fb50979b
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, many pointing to disposable hosting, and is flagged by ML classifiers as malicious. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a large number of links on potentially untrusted domains, suggesting a link farm used for SEO poisoning or directing users to malicious content. The presence of embedded URLs and the overall structure strongly suggest this document is designed to redirect users to external sites for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=blank+2020+monthly+calendar+free
    • https://static.s123-cdn-static.com/uploads/4450641/normal_6006247c3a6c0.pdf
    • https://static.s123-cdn-static.com/uploads/4479210/normal_5ffbb2ba7c031.pdf
    • https://cdn-cms.f-static.net/uploads/4379615/normal_6031ee2cb8bbe.pdf
    • http://tiwujatujoput.mygamesonline.org/83213745644.pdf
    • http://jaralet.getenjoyment.net/belajar_bahasa_arab_file.pdf
    • http://rokuboxajiga.medianewsonline.com/lotopakuget.pdf
    • https://cdn-cms.f-static.net/uploads/4412757/normal_600a0749a071f.pdf
    • https://cdn-cms.f-static.net/uploads/4378153/normal_60159eef61e8b.pdf
    • http://paxejunon.mygamesonline.org/horse_calendar_2020_malaysia.pdf
    • https://static.s123-cdn-static.com/uploads/4366367/normal_5ffbd6bc25638.pdf
    • https://static.s123-cdn-static.com/uploads/4481056/normal_5ffb527273a67.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://19a39513-20cc-49d1-a75c-e30ce0314142.filesusr.com/ugd/f99735_7b82ad507c7046b9ad5d59fddfe0faaf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a8cce004-e8fa-4882-b0af-acc43ac01962/manual_locking_hubs_on_ford_f250.pdf
    • https://s3.amazonaws.com/jezaxojipevu/lombok_indonesia_travel_guide.pdf
    • https://s3.amazonaws.com/voxipanovigepiv/management_information_systems_questions_and_answers.pdf
    • https://1e2e1d2f-e5bc-406e-8ade-c93a3c5db6fe.filesusr.com/ugd/81c7be_aa07a8580d894e1e97cccb23f169fe93.pdf?index=true
    • https://s3.amazonaws.com/zijivevip/sherwood_rx_4109_keeps_turning_off.pdf
    • https://uploads.strikinglycdn.com/files/17c6efd8-52ba-4de3-93a0-7967fd2bc839/57360496370.pdf
    • https://s3.amazonaws.com/saziwijaxodav/curso_de_ingles_free.pdf
    • http://limufij.myartsonline.com/53358029456.pdf
    • https://uploads.strikinglycdn.com/files/5781aee6-5cdd-458f-8375-9476eeb650b4/sub_zero_632_refrigerator_door_gasket.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f898.bin
0f9321aea826119960f2d7d2cd04653002d1b9cc232ec0ef6317d9bb1ca2ca3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF898 5312 bytes
font_01_sfnt_off00010a7d.bin
c65517e2f088f6926a1aa2aa0213a6e0c5f995179af053d6e44b67f204ced7d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A7D 10816 bytes
font_02_sfnt_off00012f76.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F76 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.