Malicious PDF — malware analysis report

Static analysis result for SHA-256 a41533334643c8ae…

MALICIOUS

PDF

76.0 KB Created: 2021-06-15 11:03:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1a4f21417cfb33175468c3910a329daf SHA-1: 725fa46373ae59c2a765a61152bd2096b6a04ab0 SHA-256: a41533334643c8ae93ae65e7e43e0709a996970909b152803814885773447f2f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. The presence of a large number of external links, many pointing to PDF files, strongly suggests a link farm or SEO manipulation tactic. While no scripts were explicitly extracted, the PDF structure and embedded URLs indicate an attempt to redirect users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pegugigatusib.weebly.com/uploads/1/3/4/4/134460290/8976137.pdf
    • https://topuwozusap.weebly.com/uploads/1/3/4/8/134869447/7206301ba785.pdf
    • https://rixilokif.weebly.com/uploads/1/3/4/1/134109141/vuxenulovidupipi.pdf
    • https://wunogalabapa.weebly.com/uploads/1/3/4/6/134603674/7315df34a.pdf
    • https://mizefowoxeze.weebly.com/uploads/1/3/4/4/134485365/gebusowuleriv.pdf
    • https://rizipopene.weebly.com/uploads/1/3/5/3/135316145/ccbc9be28fe.pdf
    • https://reravojune.weebly.com/uploads/1/3/1/4/131406269/2202054.pdf
    • https://dudafizegananif.weebly.com/uploads/1/3/4/8/134864336/08333435c4c5f5.pdf
    • https://xipazodi.weebly.com/uploads/1/3/4/3/134375507/vepij_wubaxijes_zisunub_fupivari.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://feedproxy.google.com/~r/wb/ENAH/~3/jJyWpsOf3IE/wb?keyword=what%20is%20truvolume%20on%20vizio%20sound%20bar
    • https://uploads.strikinglycdn.com/files/45a3ae88-4f38-4a0a-9252-c568718fdd03/vazebemuwefijopafit.pdf
    • https://uploads.strikinglycdn.com/files/1c7a7a3d-0436-4e1a-b65b-99b0e00cc77b/33740463195.pdf
    • https://uploads.strikinglycdn.com/files/f15a19c5-397c-4714-991a-b96bc4fe5b94/american_born_chinese_jin_character_traits.pdf
    • http://ritijix.pbworks.com/w/file/fetch/145089504/98916743558.pdf
    • https://uploads.strikinglycdn.com/files/71cf561e-9a30-4d5c-8224-75f8c18fc8ea/naxogopesadipeserolamo.pdf
    • http://rubepikonot.pbworks.com/f/58967548330.pdf
    • http://kifatozexi.pbworks.com/f/fanny_best_build_and_emblem_2021.pdf
    • http://fifafar.pbworks.com/f/zezumizasakutuvosowob.pdf
    • http://pidexuxok.pbworks.com/f/juwenowake.pdf
    • https://uploads.strikinglycdn.com/files/48d2402a-3d52-4365-b8a6-e101946f6711/behaviorally_anchored_rating_scale_form.pdf
    • http://fevawigo.pbworks.com/f/32230976127.pdf
    • http://xigikegom.pbworks.com/w/file/fetch/145249881/antigona_sofokles.pdf
    • https://uploads.strikinglycdn.com/files/e2966566-c695-43b0-95be-3d2845b4498f/i_beam_pointer_excel.pdf
    • https://uploads.strikinglycdn.com/files/524cf59a-ba39-430d-bffc-139e55c4ac5f/libro_de_catequesis_nmero_6_contestado.pdf
    • http://nugewil.pbworks.com/f/15536125926.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec5e.bin
4ef308378e9510e66e85742a54393a5809ef5d8376298358277de5ef20e77243		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC5E 5328 bytes
font_01_sfnt_off0000fe64.bin
cb2cba37c79926925acd934137ac64f001782523323b3c9e020e68d258092e67		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE64 10676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.