Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2b37adf4bdf5015…

MALICIOUS

PDF

76.3 KB Created: 2021-03-27 11:30:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8173165c0dab6e72708b32c17b5ea5f2 SHA-1: 96a59022f51e29f873dcc0dbcc2b2a3d33cca93a SHA-256: a2b37adf4bdf50155ad1a5546eef1b3c13b800e4d0670bc2a2b717d043a7021a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which are SEO-optimized and point to potentially malicious domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also strongly suggest maliciousness. The embedded URLs and the overall structure point towards a phishing or link-farming attack designed to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9848

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=logical+reasoning+and+analytical+ability+pdf+for+ias
    • http://jubuvojikemipi.iblogger.org/pujefuwufofun.pdf
    • http://ziximotizaned.medianewsonline.com/1000_palabras_basicas_en_ingles.pdf
    • http://jiwapadenejeza.getenjoyment.net/math_symbols_in_latex.pdf
    • http://kufigada.22web.org/rixunijigerilu.pdf
    • http://rixanemusijod.mywebcommunity.org/2225964594.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://ed7c5604-ec0f-4ae6-9d22-6d534b57d154.filesusr.com/ugd/1d5a3f_6390e0276a1f4577b1539f8497edcb21.pdf?index=true
    • https://uploads.strikinglycdn.com/files/721ab277-ca10-4172-a069-c439c3e15f37/larakafivasavijarisifupet.pdf
    • https://uploads.strikinglycdn.com/files/8988c1c8-830e-45de-b144-4af172a06962/speed_queen_dryer_installation_instructions.pdf
    • http://dezoruxeg.epizy.com/spanish_learning_books_free_download.pdf
    • https://f6b99bba-f064-431f-ab68-6eacb91b2703.filesusr.com/ugd/35e1ce_f9b9b095a9714b6ea96caf2b7b397f54.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f99d8388-0e51-4c00-bd8b-94d6e16e688a/resumen_del_cantar_de_mio_cid_por_cantos.pdf
    • http://fofanab.epizy.com/descargar_certificado_de_secundaria_cdmx.pdf
    • https://uploads.strikinglycdn.com/files/c821731e-6a40-410f-965b-74758ed1a9f5/savaful.pdf
    • https://72cee60b-533f-4fda-9f40-87b1bb6f0553.filesusr.com/ugd/590778_2f1d6df98c284b21add26b2a4749a9be.pdf?index=true
    • http://balupamujoti.rf.gd/brubeck_time_out.pdf
    • http://rugadugekowe.epizy.com/endodontic_access_cavity_preparation.pdf
    • http://baniduzi.epizy.com/leadership_theories_journal_articles.pdf
    • http://fitatina.rf.gd/11th_online_admission_form_2.pdf
    • https://4b5f4e46-8b81-4257-bf39-61fc08ba57b0.filesusr.com/ugd/7ea8bb_3e2dc35c3146435e8df6c56f92452b74.pdf?index=true
    • https://e6f9d1db-9bad-45ba-a188-0e8e378e8087.filesusr.com/ugd/99b222_dfbe4af46b6e40ba82898802cd8695d4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8d8265d4-b349-4084-b299-551db5afc0d0/shree_vishnu_sahastra_path_in_hindi.pdf
    • https://b46c4cda-4951-41c0-816f-bbf02eee4d9b.filesusr.com/ugd/4ff992_c271f95fa6d14a6abd4da7a974c1b215.pdf?index=true
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4c7.bin
a8b5bd7a441c18015d5161fe54e21af8f57ea9723da6e4f51c155a7d87e7b9b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4C7 5504 bytes
font_01_sfnt_off00010798.bin
a8e54e1459c4fef9e9edada6483359cfb0cea1610663bcadd4c6803819b3ff74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10798 10956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.