Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0ace9cfe392aa94…

MALICIOUS

PDF

87.9 KB Created: 2021-03-22 05:43:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef11c12af53338661a107ba645345846 SHA-1: d7b58ca0ba15cc3019df268480821de51b0d2c08 SHA-256: a0ace9cfe392aa94097e839f70ee1929e458f74db4ebc5fd4f2fb1405c906d29
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to suspicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and numerous external URIs are indicative of a malicious document designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=spring+boot+advanced+tutorial+pdf
    • http://mishgen.com/definicion_de_metodo_segun_autoreso9j8z.pdf
    • https://bomexufimewaw.weebly.com/uploads/1/3/4/5/134517434/fiwolowa.pdf
    • https://static.s123-cdn-static.com/uploads/4452372/normal_600280db5b308.pdf
    • http://topcabinets.xyz/karcher_2700_psi_gas_pressure_washer_manual02318.pdf
    • https://juwasiro.weebly.com/uploads/1/3/4/6/134602181/tivukepejub-fujuzukubez-zabepolafu.pdf
    • http://qlemelest.online/carteira_trabalho_celadores_sescam4zexo.pdf
    • https://joxefumisati.weebly.com/uploads/1/3/1/4/131406837/wumugaboma-wileruwisamigo-pokakafada-ruxeja.pdf
    • https://cdn-cms.f-static.net/uploads/4377120/normal_604d1f0c58dfe.pdf
    • https://sosuxivi.weebly.com/uploads/1/3/6/0/136056733/bapunakutezofitozon.pdf
    • https://sejumajofejopib.weebly.com/uploads/1/3/2/7/132740214/xejevepupejosam.pdf
    • https://static.s123-cdn-static.com/uploads/4411483/normal_5fe47be87eecd.pdf
    • http://1xbet-sportstavki.fun/676509255432x9tv.pdf
    • https://cdn-cms.f-static.net/uploads/4445880/normal_60322080484d6.pdf
    • http://rineset.xyz/150674421663vmw0.pdf
    • https://deroguba.weebly.com/uploads/1/3/4/6/134684347/3971706.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://s3.amazonaws.com/gotitibekovi/volume_keyboard_shortcut_not_working_windows_10.pdf
    • https://4b4b92a8-4ac5-4030-97d5-af0917f8c077.filesusr.com/ugd/0251f0_577edbae4e8c41438c392fd7ce5d264a.pdf?index=true
    • https://s3.amazonaws.com/roxawo/sejuf.pdf
    • https://94db4134-5784-44c5-a63d-963e509970fa.filesusr.com/ugd/9c58c5_76cca4d1dc8243ceb4c9f160fdc1bad4.pdf?index=true
    • https://s3.amazonaws.com/desekusoxi/fallout_4_ps4_building_controls.pdf
    • https://089130c0-62ae-4bf1-a93c-656440fe8451.filesusr.com/ugd/738632_40b38acd6bb24d6b87090200958f7640.pdf?index=true
    • https://s3.amazonaws.com/remavuj/19982189094.pdf
    • https://36fc1fe3-b646-4cc1-b6e9-de51469aea27.filesusr.com/ugd/3eb4bd_7ba3f9cd5a7b48e8a1a5fc6c34b2d619.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010512.bin
899a981854be5bea7d2d95e4b487a64609cb08582a0d07708df2d3fb02fc1560		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10512 5448 bytes
font_01_sfnt_off000117a7.bin
2c1669e4ec5d713ad6337dfcb1e7023e1aaa4c509b2421fe3546ffbaed424ea9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117A7 7084 bytes
font_02_sfnt_off00012ad9.bin
e94ac46b51a72a4d377b997e41efdf10652eb5ee3190efb4268a112413861369		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AD9 11452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.