Malicious PDF — malware analysis report

Static analysis result for SHA-256 a995f1da92e3f7e4…

MALICIOUS

PDF

78.6 KB Created: 2021-05-29 18:39:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8452795afd37db166d387ac08ecb91df SHA-1: e2bc03dd85eac1e876fb9bfc1d2fdbd7974d0849 SHA-256: a995f1da92e3f7e46401d0263074c33d62ca875c5e0cbfda70f7be98d5336b68
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a suspicious URL that appears to be part of an SEO link farm, a common tactic for distributing malicious content or phishing pages. The ML classifier strongly indicated maliciousness, and the presence of numerous external links, many of which are PDFs, further supports a malicious intent. No scripts were extracted, but the PDF structure itself is indicative of a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=never+back+down+3+movie+download+480p
    • https://cdn-cms.f-static.net/uploads/4366017/normal_606df6224ead7.pdf
    • https://static.s123-cdn-static.com/uploads/4369486/normal_5ff34efea329d.pdf
    • https://static.s123-cdn-static.com/uploads/4376612/normal_5fc5a0f3b5924.pdf
    • https://sajosapisede.weebly.com/uploads/1/3/4/3/134344890/liwokogadikimaz-vexabalu.pdf
    • https://static.s123-cdn-static.com/uploads/4444358/normal_5fcbb21b21e7e.pdf
    • https://tigaguxekebopu.weebly.com/uploads/1/3/4/5/134592721/3043108.pdf
    • https://cdn-cms.f-static.net/uploads/4383925/normal_60542d13bb166.pdf
    • https://cdn-cms.f-static.net/uploads/4366398/normal_605a42fc40a23.pdf
    • https://lenalavawin.weebly.com/uploads/1/3/4/7/134732275/bijopigo.pdf
    • https://cdn-cms.f-static.net/uploads/4383689/normal_603369a5e007b.pdf
    • https://denosuzasagi.weebly.com/uploads/1/3/2/7/132712615/0b5e93c01d25332.pdf
    • https://cdn-cms.f-static.net/uploads/4382771/normal_5fe9230e771fe.pdf
    • https://wokozizexufam.weebly.com/uploads/1/3/4/2/134234926/sifubonej_nuxowa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/72cf5b17-2616-4a3c-9ae0-fdab05b3112f/apple_lightning_connector_to_digital_av_adapter.pdf
    • https://uploads.strikinglycdn.com/files/e2ff6dc6-b3d9-4d35-8868-b5b645514ffc/98527085262.pdf
    • https://uploads.strikinglycdn.com/files/5dd5341f-242e-4291-96d2-e8306637c76d/13707401009.pdf
    • https://uploads.strikinglycdn.com/files/42dd16c0-8893-4ce3-ada2-d02e006dab63/chemistry_ionic_puzzle_piece_activity_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/249f251b-b7c7-4a4a-88da-5241bfc7fc48/share_market_holidays_august_2020_india.pdf
    • https://uploads.strikinglycdn.com/files/68974483-0c08-4ea9-9f41-6ae8b5827bdb/what_natural_remedy_kills_toenail_fungus.pdf
    • https://uploads.strikinglycdn.com/files/2973c11c-4de6-45f8-8ab8-f143f0bf8042/2017_ktm_rc_390_owners_manual.pdf
    • https://uploads.strikinglycdn.com/files/f0668441-7ca1-4145-a3c4-12d11fffd6a7/sunukutebuz.pdf
    • https://uploads.strikinglycdn.com/files/de8a2145-623c-4112-8bba-4d085aad7ee8/lofizajivumijimiveja.pdf
    • https://uploads.strikinglycdn.com/files/22404996-25b6-4c2d-afa0-1101f2064e70/aiag_apqp_manual_4th_edition.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3f2.bin
4a7924528bee57e2c6720318e63b363bb72a19b8727bc1f8a85670f04b84ff3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3F2 5952 bytes
font_01_sfnt_off00010843.bin
8c965591172ffd7ce251d6dadea5b092cdbb7493dc203a362ed33f10b96018ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10843 10732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.