Malicious PDF — malware analysis report

Static analysis result for SHA-256 aab22f0c527153e1…

MALICIOUS

PDF

75.7 KB Created: 2020-12-22 08:07:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3bfefdeb07f1ccb27befd7abc3f2291b SHA-1: 65e29727ef56c58de692cfa90b0a24bb93310cde SHA-256: aab22f0c527153e174e7da1da80a0613448de37ee9bf54284ced66a2998d8414
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a large number of external links, many pointing to disposable hosting services like Weebly. This behavior is characteristic of a link farm, often used for SEO manipulation or to distribute malicious payloads. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution through these linked PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=momo+creepy+horror+sound+jumpscare+meme+soundboard
    • https://muxamaxipusitu.weebly.com/uploads/1/3/4/4/134470051/boxanekel.pdf
    • https://nutomejeti.weebly.com/uploads/1/3/4/7/134702699/7603691.pdf
    • https://koruguliduni.weebly.com/uploads/1/3/4/8/134896859/9520467.pdf
    • https://vuvajufuzuno.weebly.com/uploads/1/3/4/4/134480129/popifojuviz.pdf
    • https://depasosuva.weebly.com/uploads/1/3/4/4/134483816/fca3c6ba725.pdf
    • https://murozukuzofapu.weebly.com/uploads/1/3/4/7/134716639/8368385.pdf
    • https://daxusumupazi.weebly.com/uploads/1/3/4/7/134702932/1628614.pdf
    • https://pumoguviponurin.weebly.com/uploads/1/3/4/7/134773216/1b5a58d5ba8f0a0.pdf
    • https://daxexamuve.weebly.com/uploads/1/3/4/4/134446800/16e9b7f6.pdf
    • https://kimuremosov.weebly.com/uploads/1/3/4/7/134732255/dasame-xuvunenekoxeba.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbe09a0f3de5e49b52b4917/1606289825401/vestido_de_novia_de_cenicienta_2015.pdf
    • https://uploads.strikinglycdn.com/files/ab1c305a-a358-43a1-a1c8-bc62ac0c01a0/87736253055.pdf
    • https://static1.squarespace.com/static/5fc2a7ede9fc3622d52d662b/t/5fc57f7bcb3e0f57710b5bbb/1606778748254/garasofu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b3ed.bin
8af38bf6b092cf15c41a16c047c4502ad815f9d5e7d08187b44fe6758edff768		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB3ED 5360 bytes
font_01_sfnt_off0000c5f5.bin
a2f777f37a8feec05041a0969a2134630ef106edc14631f42a1f2116d4eb492b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5F5 3788 bytes
font_02_sfnt_off0000d49d.bin
b90e82804c2e6432566aae911d506872d87388f8c42ae7e876167b0f0165cbd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD49D 10732 bytes
font_03_sfnt_off0000f975.bin
1f80f869180e1f49e4aa971cb2812fca6bf65d44172ad3844efb309727e9db02		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF975 17444 bytes
font_04_sfnt_off000112c9.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112C9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.