Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa18d73ade29605d…

MALICIOUS

PDF

84.6 KB Created: 2021-03-14 11:57:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45c3206ba75c672187d2e08f7b7cd46a SHA-1: 503d4b8a97074b0e7e1d0cf507b063e4297947e9 SHA-256: aa18d73ade29605db2cc09b3483365960887c13a14d637f20c810774947f0b59
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing or SEO link farm attack. It contains numerous external links, with the primary suspicious URL being https://seumenha.ru/123?utm_term=rc+flying+wing+design+pdf. While no scripts were explicitly extracted, the PDF structure and the presence of external links suggest a potential for malicious content delivery or redirection, aligning with spearphishing attachment tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/123?utm_term=rc+flying+wing+design+pdf
    • https://cdn-cms.f-static.net/uploads/4444110/normal_5fd679f3cd5bf.pdf
    • https://cdn-cms.f-static.net/uploads/4378831/normal_601467938a7ba.pdf
    • http://lavawogufiwilor.iblogger.org/lexikefeperagepoxufe.pdf
    • http://g2am2e.xyz/42171034873wf0sz.pdf
    • http://lijamerogavex.iblogger.org/axis_camera_companion_2._0.pdf
    • http://bigops.fun/sibidayx626.pdf
    • http://nelitip.22web.org/lewis_dot_structure_of_chloroform.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://48cc712b-de5e-493e-a198-f8962849e22b.filesusr.com/ugd/d2751c_17ec020d821c4e419d9c4c24a18823b9.pdf?index=true
    • https://e0a971b2-7104-4718-9e5f-4f17d768618f.filesusr.com/ugd/6d43b6_b185f93d0a644b66a8fbbaf02e2173f2.pdf?index=true
    • https://30b7a97f-6117-4fff-8876-4b3c2220b6c6.filesusr.com/ugd/15cd4d_7390984883184033adab16202c7ae8a9.pdf?index=true
    • https://ad843f61-c544-48d7-8cfb-3c048b9edb46.filesusr.com/ugd/0dd9ed_0ec1f9c246b9480292106a030d304834.pdf?index=true
    • http://nubibubimalepik.atwebpages.com/odisha_govt_holiday_list_2020.pdf
    • https://590703a0-be71-4d3c-a49f-17767d5969ef.filesusr.com/ugd/656c20_3c9a6f736db441f6b2094dfd10bd6058.pdf?index=true
    • https://168d2a81-f750-40c6-a653-3787650f980d.filesusr.com/ugd/3bcfef_8cacc24f7ba44f4188bf1a7f30ead58d.pdf?index=true
    • http://kutoxinupuroxo.onlinewebshop.net/jideber.pdf
    • http://xajumin.epizy.com/plugin_android_chrome_browser.pdf
    • https://02408c19-b9f6-4996-a596-1d5b7e46c8d3.filesusr.com/ugd/c83fdb_342a63cce8cd4a159cfb5b1099f33a84.pdf?index=true
    • https://8eefcaf3-52f5-4123-8be5-b1f0aaeea45e.filesusr.com/ugd/1d3654_78cddd20025347079a73f999f4a34a02.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000109a9.bin
e5a984c1a0166adf24dd0a9a8f62dbf937eca87e70e8a447546fc5901c21b7f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109A9 5216 bytes
font_01_sfnt_off00011baf.bin
b91b4a5f32dc09f5b6581f73da82d156d8e162016955b3baa85219179400fbcf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BAF 11716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.