Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0fb56364d144335…

MALICIOUS

PDF

83.0 KB Created: 2021-03-19 20:15:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45ed1a4c19e33dbd8b29fd1f7bcee567 SHA-1: e08f184ccf9a537f60eeaae5dd679299f4ff147d SHA-256: a0fb56364d144335e7ec89f316aacbd22daf55936072e734e7b48a22708b6ab8
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, directing users to numerous external URLs, some of which are hosted on disposable domains. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic suggest the primary goal is to redirect users, potentially for phishing or SEO manipulation. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/aws?utm_term=how+has+sports+changed+the+world
    • http://mitisavad.getenjoyment.net/troy-bilt_trimmer_mower_belt_replacement.pdf
    • https://cdn-cms.f-static.net/uploads/4403414/normal_601f56b5168c2.pdf
    • https://cdn-cms.f-static.net/uploads/4375531/normal_5fd235625609c.pdf
    • http://dagulofevururuk.22web.org/20310814454.pdf
    • https://tutemedoz.weebly.com/uploads/1/3/2/8/132814241/8860240d5ef31b.pdf
    • https://radalumimobexod.weebly.com/uploads/1/3/5/9/135957078/ronarita-keluzidopap-babofowokipaj.pdf
    • http://kuzojud.66ghz.com/cerebral_venous_sinus_thrombosis_guidelines_uk.pdf
    • https://tavadubamik.weebly.com/uploads/1/3/4/4/134473349/tulota.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b064d0e4-88d6-4b7e-8087-8ebf790fcba6.filesusr.com/ugd/ca32a8_1e38f650308f47ae84d0edd25d9b7b98.pdf?index=true
    • https://9cc02d22-446e-415d-9686-6e49aadcb3b3.filesusr.com/ugd/aa6a08_e2cd9c94eb694a389a05c24034642f26.pdf?index=true
    • https://21036261-01f9-4725-a342-2b8b08d10099.filesusr.com/ugd/d0cbc4_2fc7714083a14991b4af02f6e81ea828.pdf?index=true
    • https://591379ed-26d0-4405-baa7-5b8dadede013.filesusr.com/ugd/866ffa_15d0128d7b804ae7934a5f43b9709b87.pdf?index=true
    • http://zowujobosega.rf.gd/aquatic_plants_pictures_free.pdf
    • http://bivojeda.atwebpages.com/les_nergies_renouvelables_livre.pdf
    • https://8eefcaf3-52f5-4123-8be5-b1f0aaeea45e.filesusr.com/ugd/1d3654_236439435cf24f198bd980be33570b11.pdf?index=true
    • https://543e2b4d-9699-46d2-9656-875e860b8e63.filesusr.com/ugd/fb32d0_22411f34200a4f208245d8eda0e08c12.pdf?index=true
    • https://e25b7b56-d8f7-44cb-9276-56428e53d1cc.filesusr.com/ugd/63f3e8_a02b029c35d44d8391934eea3ecb1ce6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001063e.bin
aecb01871214e50c84470066d2b1ac5216b525620936c51023bb738eb2265405		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1063E 5388 bytes
font_01_sfnt_off00011896.bin
a372b65bedaf0b6deea170aea92f4a06e911afa81854eac7a1857aa178f26991		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11896 11284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.