Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa42ee6afdbb7ef7…

MALICIOUS

PDF

85.6 KB Created: 2021-03-28 17:56:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 543cfd7b8e7e986a066778299ae21213 SHA-1: 49abcf26d5091e43cf200781ba1d84a89f69860f SHA-256: aa42ee6afdbb7ef7143d9ddf25cbc888509e3a268a3ebe9f9a68c571288e1ba9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one prominent URL pointing to a site that appears to be part of an SEO link farm. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or spam. No scripts were extracted, but the PDF structure itself facilitates the redirection to malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=calisthenics+workout+plan+pdf+deutsch
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8275e225-b46c-4952-aa95-d63d3d76bc05/how_to_write_a_letter_of_recommendation_for_scholarship.pdf
    • https://011f98f8-b45f-4578-a2fd-466b530f7845.filesusr.com/ugd/74e905_4b02e392caa647c7af4e0e9b73940f5f.pdf?index=true
    • https://a7da3e60-63c8-46c1-a846-eab7df628ed2.filesusr.com/ugd/bba345_04cdb3bd32cf46f5be32000f77e5ca50.pdf?index=true
    • https://s3.amazonaws.com/pisik/lion_vs_buffalo_video.pdf
    • https://321e46d8-a3e9-4523-905f-b0dcd1dcb7ef.filesusr.com/ugd/29fbc3_30b313e027fe45e4842f2fd2a88753b1.pdf?index=true
    • https://17a6c5a8-0587-4adf-8126-5b439e15a62f.filesusr.com/ugd/54bec1_72929724e4034cbb81ffc2fb29b6e202.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e251e21f-eb27-488c-801a-7ccd9023e338/vaxaxifilamudajizaz.pdf
    • https://680e7e7f-99bb-4309-8a01-ecc910dc7690.filesusr.com/ugd/717a42_791909b09c004c4caf74d5d8a214f044.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1cfdd10d-4cdf-4312-a93b-f67516a466c5/busolosefusefa.pdf
    • https://s3.amazonaws.com/tuxenipup/canticle_of_the_turning_piano_sheet_music.pdf
    • https://00407fa8-a9ef-4b78-9bbe-46147fc8acf6.filesusr.com/ugd/5ecadc_9d152f5177774bb79b1813ab8fca41ff.pdf?index=true
    • https://f87ce62f-3d5d-4c42-bff3-2e7d00444551.filesusr.com/ugd/72ed28_023ec26edb9744f9a7d9f8083998b052.pdf?index=true
    • https://26577e91-18e8-42c3-8e85-49dcca1d6605.filesusr.com/ugd/195787_c1a433db8cbf41d3847ed02101692c1a.pdf?index=true
    • https://s3.amazonaws.com/lixasifasi/fcc_phone_scams_report.pdf
    • https://s3.amazonaws.com/jagux/9409247189.pdf
    • https://s3.amazonaws.com/fajixe/php_auto_format_online.pdf
    • https://s3.amazonaws.com/xirixepo/dazigowur.pdf
    • https://uploads.strikinglycdn.com/files/d20ced34-b141-4733-9c74-b9324581087b/3.5_arcane_prestige_classes.pdf
    • https://s3.amazonaws.com/jitimesolagun/mercedes_benz_a_class_2018_manual.pdf
    • https://s3.amazonaws.com/midizaxopazeji/diablo_3_crusader_leveling_build_season_22.pdf
    • https://uploads.strikinglycdn.com/files/50ec6786-c993-4e38-9c25-bacf1ccbacec/zezujugaxodilobalowonike.pdf
    • https://c11ab09e-384c-4904-8c79-5ef6f38008df.filesusr.com/ugd/7131a6_ffb429a3ef7c4f8d892733903e6cc246.pdf?index=true
    • https://6e3eaeb2-b9dd-4462-8b56-96c59beebd9a.filesusr.com/ugd/dcc11b_79e3c46e71044b04a848d436cdeaf908.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efee.bin
f9f83d97a6334b0c966f762f84212d3e3f47cb455f0b32c20bdc291f593a8dee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFEE 5304 bytes
font_01_sfnt_off000101fa.bin
e9a5a1f6ed95b1e3669933bb00002ad32a1708c3e0b735191cad5e02368a6c7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101FA 1800 bytes
font_02_sfnt_off00010a88.bin
42cd715eabb3043e1ffd3a424b0b87a73d5dba27074a589a7017675c384ad265		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A88 11532 bytes
font_03_sfnt_off000130d9.bin
531e37f64a2e7dc3bfb257675d9e6c644c7b1597f33ba9a969cd005a7ed65660		 pdf-font-stream PDF embedded font (sfnt) at offset 0x130D9 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.