Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1104eb09a53898e…

MALICIOUS

PDF

105.1 KB Created: 2021-03-03 19:45:18 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74f99fdffaa0dbb8375c8244ef6be82b SHA-1: b4d3f674af34ea981fc2bd363d783be6488af892 SHA-256: a1104eb09a53898ed77e51b766dd0043102b80e7317f5d5a7520802725ac1ef1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of a PDF link farm heuristic, coupled with numerous external URLs, suggests the document is designed to redirect users to potentially harmful websites. Although no scripts were explicitly extracted, the PDF format itself can embed JavaScript, which could be used to facilitate these redirects or further exploit the user.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=what+religious+beliefs
    • https://dobetabuzaduguz.weebly.com/uploads/1/3/5/3/135312815/korifonema.pdf
    • http://womenita.fun/degarowebesinijoba532ia.pdf
    • http://tixesikixux.mygamesonline.org/los_mejores_amplificadores_de_audio_para_casa.pdf
    • https://cdn.sqhk.co/xewafazuk/Zigcgjf/merge_magic_cheats_challenge_16.pdf
    • https://cdn.sqhk.co/bidomutarili/dgj3G7Y/ropani.pdf
    • https://jinitemolo.weebly.com/uploads/1/3/1/8/131856214/430902.pdf
    • https://cdn.sqhk.co/vefapatape/HkjcqfX/17729388557.pdf
    • https://cdn.sqhk.co/kefexunas/haSNWgg/xojepujanilanukarevufak.pdf
    • https://fumitalabojaluk.weebly.com/uploads/1/3/5/3/135399187/2649994.pdf
    • https://zawasofolebu.weebly.com/uploads/1/3/4/9/134902788/koruwiza_zizixir_nugefadugilefu_nikufole.pdf
    • https://cdn.sqhk.co/fesakesovoka/1jbEggE/snowball_fight_survival_guide.pdf
    • https://cdn.sqhk.co/rekubapapup/KvkTagh/spelling_bee_font_free_download.pdf
    • http://smotrikino.fun/migixijerenunizalhcisp.pdf
    • http://ouily.xyz/is_guidepoint_global_advisors_legithiqel.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/gitipelut/74229515451.pdf
    • https://s3.amazonaws.com/wozoxub/79767707818.pdf
    • https://s3.amazonaws.com/sojuravewi/71679243745.pdf
    • https://s3.amazonaws.com/xalexojaxipud/gexeti.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001370f.bin
c2b008f0314917370438190bd69357d20e16de13598bc4cbe5095f4a316e7124		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1370F 4960 bytes
font_01_sfnt_off00014815.bin
637af60d3ca7354794f4310c7b2609ba39176b3eec3809c255a2ad9abd798216		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14815 16192 bytes
font_02_sfnt_off000173eb.bin
ccd0ea095085b9379100d4de0d13d045157d8501f46cd3db2ef5c00475687e02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x173EB 16088 bytes
font_03_sfnt_off000188a3.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x188A3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.