Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2c8eb3559482816…

MALICIOUS

PDF

79.8 KB Created: 2021-04-18 02:43:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dbadb4b41ad5d2afce2fddc603698565 SHA-1: 4972723fa8953e8c086ae5422b26ee07d90ad298 SHA-256: a2c8eb3559482816eb5519261ba794c53fd6c584e0ce151fffd401e4a19a73c5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a malicious intent to redirect users. The ClamAV detection and ML classifier further support its malicious nature. While no scripts were explicitly extracted, the PDF structure and embedded URIs indicate a phishing or redirection attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=how+to+tell+if+your+wood+stove+is+certified
    • https://sewizejego.weebly.com/uploads/1/3/4/6/134679492/guvidojoko-datamupoxu-rifatizisasot.pdf
    • http://gazajujana.mygamesonline.org/meaning_of_business_environment.pdf
    • https://bodumiwi.weebly.com/uploads/1/3/1/4/131406735/b50067ea.pdf
    • https://seguvixezamab.weebly.com/uploads/1/3/5/9/135961197/memuzosedezegasomuno.pdf
    • https://luzatewuxajexi.weebly.com/uploads/1/3/4/2/134265782/bupegetemasakev.pdf
    • https://faluwesidiji.weebly.com/uploads/1/3/0/7/130738597/3129160.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://97a45c9e-1ab5-462a-bfe2-fded34b9a8b9.filesusr.com/ugd/b50c55_bbc98166f93743348df201304575b299.pdf?index=true
    • https://a96990da-dd17-4b11-844c-aba2d588d1b6.filesusr.com/ugd/5e5e7b_9296e84a1378475d98791b6373e6e25c.pdf?index=true
    • https://61249681-e2d1-4375-841a-b3723294d79c.filesusr.com/ugd/3d514e_e08d6eabd8f34811ae3ca8dd344bfffa.pdf?index=true
    • https://ec08fec6-e576-400d-8504-372613838d3c.filesusr.com/ugd/57e0ce_3c9378d5d7d14d8dbc4b4caa07bc5ea6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/aa3cb313-98c6-431a-b350-47302d5bec58/learn_python_programming.pdf
    • https://uploads.strikinglycdn.com/files/c772c010-bf60-4512-aea5-483aa056f698/how_much_do_detectives_get_paid_a_week.pdf
    • https://331e17ce-4321-42a7-89aa-067eaa3daeeb.filesusr.com/ugd/6576ad_5af97e855b50442cb3a44964983694d9.pdf?index=true
    • https://e590c0d9-b694-44fb-9862-47327b30d8b0.filesusr.com/ugd/89363e_1af35e807c1e4a32b53b432877d50e9f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/20907a6d-3563-492e-9cea-b463da2e443e/23068151992.pdf
    • https://uploads.strikinglycdn.com/files/121eae01-bf4a-4dac-a8ce-a381a66a1ca5/pro_97_scanner_software.pdf
    • https://uploads.strikinglycdn.com/files/1c5a9128-d442-4473-b551-d16731876a6d/2005_dodge_ram_1500_quad_cab_specs.pdf
    • http://zonafikepejese.onlinewebshop.net/66915680384.pdf
    • https://uploads.strikinglycdn.com/files/e4394462-ba69-4952-baa0-1fd26e0e0508/best_teaching_techniques_for_adults.pdf
    • https://uploads.strikinglycdn.com/files/38e60a26-1367-4825-b5b8-66a38562739c/70605126503.pdf
    • https://05790d5e-93e9-4545-bcc4-99c37f081c18.filesusr.com/ugd/bff4d5_af776c382a104c2db10366139f1943dd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/74a871c8-bb15-496f-a613-5f9dc3ba0284/39644342257.pdf
    • https://c83cbd6e-a134-4b49-ba12-49f24c654ad9.filesusr.com/ugd/904a8b_f3269701bc254721a027bd8ebf2325ed.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fbdc.bin
dec05ba213668d4041298d79847f9c36d48da35255f716f0ecd0ce560a458b41		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBDC 5020 bytes
font_01_sfnt_off00010d20.bin
14c6167bc60aa92f4789d972cd67c984266c08f21f2493bcdb0b9b2904032f7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D20 10852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.