Malicious PDF — malware analysis report

Static analysis result for SHA-256 a108a2c79b8ab843…

MALICIOUS

PDF

100.6 KB Created: 2021-04-07 04:34:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e522443168c224df32c2f22558c76f7d SHA-1: 46829314ec9c114b9e4dc4a7f5452beed0c12e05 SHA-256: a108a2c79b8ab843e618b1b4da7603ed6f30c72b421b64de3fe75ab1bab5433f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, indicating a link farm or SEO manipulation tactic. The ClamAV detection and ML classifier strongly suggest malicious intent, likely phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and numerous external URLs point towards an attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9966

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=resucito+cantos+del+camino+neocatecumenal+pdf+2019
    • https://cdn-cms.f-static.net/uploads/4452374/normal_60303915e7a02.pdf
    • https://cdn-cms.f-static.net/uploads/4422385/normal_602e796eb65b7.pdf
    • http://xepidenad.scienceontheweb.net/hansel__gretel_witch_hunters_2_trailer.pdf
    • https://static.s123-cdn-static.com/uploads/4409246/normal_5fe39c4e82a7d.pdf
    • https://static.s123-cdn-static.com/uploads/4452389/normal_5fc90c6e61734.pdf
    • https://cdn-cms.f-static.net/uploads/4424024/normal_5fd1f0f1accc8.pdf
    • https://static.s123-cdn-static.com/uploads/4393890/normal_5ff0b67895dc8.pdf
    • https://static.s123-cdn-static.com/uploads/4390052/normal_5feeacc41f253.pdf
    • https://cdn-cms.f-static.net/uploads/4470689/normal_6049d2d6f2c6a.pdf
    • https://cdn-cms.f-static.net/uploads/4495244/normal_605f859fe5fa4.pdf
    • http://zevibeponakat.getenjoyment.net/jelukijazusakozisel.pdf
    • https://cdn-cms.f-static.net/uploads/4424040/normal_6017a878a29a5.pdf
    • https://cdn-cms.f-static.net/uploads/4412181/normal_602480760b490.pdf
    • https://cdn-cms.f-static.net/uploads/4420245/normal_5fda8fd9bf53b.pdf
    • http://moradudipomibo.mypressonline.com/95377714157.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f6e2a16f-d004-42cd-8f17-0463e090774c.filesusr.com/ugd/c70c35_470318b5a27943fe87068e8d27beb3b1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e6f29393-062d-4b97-a94a-d5c52ee47d6d/gramatica_del_ingles_avanzado.pdf
    • http://widepidaba.atwebpages.com/tijuderokemijajirugelejik.pdf
    • https://uploads.strikinglycdn.com/files/20007f0c-fb77-49de-a0d6-d2a93c936816/xeturiratumiro.pdf
    • https://uploads.strikinglycdn.com/files/2f3338b0-d615-4e55-b2e7-3b9177733dd5/tutemisugix.pdf
    • https://uploads.strikinglycdn.com/files/cb5db1f2-10c2-4b0b-9d53-3953ab5da913/65590630969.pdf
    • https://45180a89-8b92-4d54-a4c6-cdf0ad6af3c7.filesusr.com/ugd/2b98a3_2ee78dee86bd40f9aa0bcdf5dc05a292.pdf?index=true
    • https://dc010c70-835d-4b56-8cb0-1e1bda7cab64.filesusr.com/ugd/fb576b_3c141202047d49e28b331470aa73a080.pdf?index=true
    • https://uploads.strikinglycdn.com/files/65d41492-b5a2-48ca-b278-29f8db2fff4c/nifuzuxuj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d9e.bin
2bb37be10bdaf417076cc32147fbec23778a7353903c998f939085491f330c31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D9E 5696 bytes
font_01_sfnt_off000120f7.bin
f1746f4a41cd8ae07a1a679700ee4ecdaaaeca805ea49b87d942cba4734359f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120F7 2216 bytes
font_02_sfnt_off00012b08.bin
a96d35d9120faf7efb26def8e7e800059a6c5dca9c79e73444f0f931c42ff9d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B08 12880 bytes
font_03_sfnt_off00015481.bin
9c7926b8929b88a1dffb52ec04bcfb477868fd459509337312ce674bafabbb6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15481 16192 bytes
font_04_sfnt_off000169c9.bin
b35abed3b95559cd664b3ea4327e3d7391c501a58c4cfd87e7d78d540256a0f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x169C9 8224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.