Malicious PDF — malware analysis report

Static analysis result for SHA-256 a708bf749ca58d94…

MALICIOUS

PDF

76.5 KB Created: 2021-03-28 07:24:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a450ff5b8ec1343a1c5954ece9e90da2 SHA-1: 6041d8a7b5b625ba193417c1b6ca50a9fcffaa94 SHA-256: a708bf749ca58d94c201956d24a09aa921ae7cc11112d681e77373c92d9c6c9c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious content. The presence of a PDF link farm heuristic suggests an attempt to redirect users to numerous external sites. While no scripts were directly extracted, the PDF structure and embedded URLs point towards a phishing or SEO manipulation scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/wix?keyword=i%2527ll+be+there+for+you+lyrics+erika+costell
    • https://cdn.sqhk.co/jomonufo/giWKias/pathogenicity_and_virulence_among_microorganisms.pdf
    • https://cdn.sqhk.co/rifibimilo/gchjhbb/72402763538.pdf
    • https://cdn.sqhk.co/ramojezi/hahiy7u/zubaxekukuguvekibelewuju.pdf
    • https://cdn.sqhk.co/xolanikipiz/nligTgi/roblox_avatar_maker_for_xbox_one.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/773718f7-cadd-4ad8-a274-7b565f5a6101/43600525376.pdf
    • http://zapofekeba.rf.gd/41857086694.pdf
    • https://uploads.strikinglycdn.com/files/b306c128-9e40-4340-9762-704a94cbba1a/ninevimademedemeko.pdf
    • https://uploads.strikinglycdn.com/files/9bcb8e55-3ade-42c2-bcd6-62b1871753d8/78296480593.pdf
    • https://uploads.strikinglycdn.com/files/868cc38e-de35-4bd4-a442-66faf5a0ce76/acordes_de_piano_canciones_cristianas.pdf
    • https://uploads.strikinglycdn.com/files/266d25bc-b74a-4b08-a888-b44fc6c25322/la_ciudad_de_las_bestias_analisis_de_los_personajes.pdf
    • http://bejopirobi.epizy.com/46100781183.pdf
    • https://uploads.strikinglycdn.com/files/a0292f42-fd77-4a75-81d2-51f0601f75e3/71791174009.pdf
    • http://jujonejetas.epizy.com/27856212777.pdf
    • https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_575f3c7b9253490292beb5eac01623f6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4004c76d-22c9-4bab-a218-0dff295fdb53/takorivejeniru.pdf
    • https://uploads.strikinglycdn.com/files/3f7f7418-bf14-4f3e-b7b4-0c2644498345/guboki.pdf
    • https://uploads.strikinglycdn.com/files/771facf8-e0f4-40ce-bbf0-ccb6e06de10c/aprender_ingles_musica_gratis.pdf
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_5d4fc20580bf4bb9bef01a9580c8ad43.pdf?index=true
    • https://6b5d12f1-3bbc-48af-9ddb-5430d2fe15e7.filesusr.com/ugd/3bf302_0dad1ae3c9134847858bb1403a79f675.pdf?index=true
    • https://9f9bd9fa-00fe-4673-b34e-9a629881f524.filesusr.com/ugd/09273f_83b6216015734f1a9c62f2fd8abd7164.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e2c12d64-5067-47b8-8257-97ad2e885c31/7360351524.pdf
    • http://banigigafizaje.epizy.com/joliguvik.pdf
    • https://uploads.strikinglycdn.com/files/73c68517-e94e-4d85-82d3-8d4a8ad6b5f4/craftsman_12_radial_arm_saw_for_sale.pdf
    • http://kejefutipetube.epizy.com/what_is_a_principal_engineer_description.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef9e.bin
e64a44ca1b666ba1c35efaecada93f9d58300cc1a0b871502198f30accfdddb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF9E 5244 bytes
font_01_sfnt_off00010180.bin
93e4b282b7afa2b5759035fc281e0097f2c57e9908a10647f8db2b708755a17b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10180 10040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.