Malicious PDF — malware analysis report

Static analysis result for SHA-256 abb4cf42e7bb12ae…

MALICIOUS

PDF

76.2 KB Created: 2021-04-14 08:55:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 38cf1abbcafbb5780c1c95de3ddf9541 SHA-1: a085186ac282cdda5cb2df22f1af4c7ebb33b2b9 SHA-256: abb4cf42e7bb12ae2046ce4b2e013ffd8099b8d7d793084c3ea48f35199adeb5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one prominent URL pointing to a suspicious domain that appears to be part of a link farm. ClamAV and ML classifiers identified this PDF as malicious, specifically flagging it as a phishing trojan. The presence of embedded links and the nature of the heuristics suggest an attempt to redirect users to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=brother+hl-l2305w+toner+ebay
    • https://cdn-cms.f-static.net/uploads/4501656/normal_605840ef431a6.pdf
    • https://static.s123-cdn-static.com/uploads/4422638/normal_5fcb5e3e83223.pdf
    • https://static.s123-cdn-static.com/uploads/4451019/normal_5fcd9f5e710af.pdf
    • http://xidufefonudug.sportsontheweb.net/wegosaxurizofekoxod.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/genukopapovixo/vejinivepudopak.pdf
    • https://s3.amazonaws.com/wovugi/86255013727.pdf
    • https://bc5ba30c-e427-49eb-abc4-9677f18f04c1.filesusr.com/ugd/bcd086_eb86c18239884bca9b8c375c00ee2ef7.pdf?index=true
    • https://5e7fdb44-65a6-4d88-9b36-b69c04d36e08.filesusr.com/ugd/b547b4_7dd9beee3df147f6a272b064e38d5dfc.pdf?index=true
    • https://s3.amazonaws.com/pafiganovavi/ramas_nervio_facial.pdf
    • https://de2ee6d5-caaa-4265-b15c-40100ab77d99.filesusr.com/ugd/d43733_cb39941747af42eb8f02f63165d2a62b.pdf?index=true
    • https://128fc002-9ed4-4a8f-9a6b-83b43563a9ed.filesusr.com/ugd/6812d7_ccd2dd75ba934954818a8f576ab6e0a2.pdf?index=true
    • https://52468903-0e2d-47c5-babb-61e1d305d291.filesusr.com/ugd/32777b_088b1368c9e44aa8b12b5b5f052c3859.pdf?index=true
    • https://6dca1d0c-b102-4aa4-a312-d013f97c39dd.filesusr.com/ugd/fb87fb_0617fcfb6e2f494a8add151252587d4d.pdf?index=true
    • https://e8ceee85-86bf-4804-80ab-d7a1511cbcf5.filesusr.com/ugd/38650a_c87b8ceafc664fc2a45e38823a2a0448.pdf?index=true
    • https://b1c30c75-ab46-439a-884d-3836ae4b8a49.filesusr.com/ugd/2d1648_efc109a227334791915e071e8dc5a8fd.pdf?index=true
    • http://xoxekojut.onlinewebshop.net/how_many_watts_is_the_altec_lansing_life_jacket.pdf
    • https://s3.amazonaws.com/xakusineba/tanamedemivotodozufufeg.pdf
    • https://fac30f9c-1bc3-4ff6-ac40-7ced1d2a170b.filesusr.com/ugd/3b7182_675b79a7306a4415b689a32b0cde1852.pdf?index=true
    • https://2a0daf8d-7d8f-48a8-9da6-1f2c606fcb3a.filesusr.com/ugd/adb9e1_4c2c85edfe6f4f3da6725f2f21900dec.pdf?index=true
    • https://d0bf7e8b-5449-41c0-93e9-161603c0719f.filesusr.com/ugd/197ed4_c687d536b413432c9d69ddc55e0e9d10.pdf?index=true
    • https://dd54f144-242a-4a88-9385-6c39f9996aab.filesusr.com/ugd/9f32c1_0cb0fbcffb274de4b0fec806bd14adba.pdf?index=true
    • https://063758de-fb2f-4258-809e-b727485bfd5a.filesusr.com/ugd/89cda4_b87cbb5122ac4dcda5d0bb13edf0aeb2.pdf?index=true
    • https://s3.amazonaws.com/tiluwisulepam/34902401625.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e858.bin
819f2d9a9cf5e04f259ab6df3d42b5e14ab8dadf3ea306025bcad8007d074f93		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE858 5572 bytes
font_01_sfnt_off0000fb65.bin
2b8643d1768f297b9dd589664ee0f912365cd0a527185e698d8d80e9e84e25cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB65 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.