Malicious PDF — malware analysis report

Static analysis result for SHA-256 acf0d048fa6e05a8…

MALICIOUS

PDF

111.0 KB Created: 2021-03-31 05:01:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74dc0b43b62a326933c797f16b60658a SHA-1: d6d095b10f63fe3622e49e2d08c8a95f9ed3b1ac SHA-256: acf0d048fa6e05a8ed19bed92daf1ec8106933f0e826c5ecc5c7e6e54cef77ad
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with one prominent URL pointing to a suspicious domain associated with phishing. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution. Although no scripts were directly extracted, the PDF structure and embedded links suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9676

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=bk+murli+in+bengali+pdf
    • https://cdn-cms.f-static.net/uploads/4370051/normal_6033b069c5d66.pdf
    • https://cdn-cms.f-static.net/uploads/4465565/normal_602297b71ddf9.pdf
    • https://godowipi.weebly.com/uploads/1/3/4/5/134520373/zupiwowamup-vipirexejolazaf-zojemamenepaz-nulapef.pdf
    • https://cdn-cms.f-static.net/uploads/4427795/normal_6036d75092de7.pdf
    • https://cdn-cms.f-static.net/uploads/4415936/normal_6034cd4621cbd.pdf
    • https://static.s123-cdn-static.com/uploads/4405202/normal_5ff03b7beec12.pdf
    • https://bosesabefo.weebly.com/uploads/1/3/4/3/134362720/lolavosoparapidi.pdf
    • https://cdn-cms.f-static.net/uploads/4488555/normal_5fd3879494999.pdf
    • https://cdn-cms.f-static.net/uploads/4380413/normal_600c379822482.pdf
    • https://fufukarebalomok.weebly.com/uploads/1/3/4/3/134352968/kotokoxikebaj.pdf
    • https://bezijenogekise.weebly.com/uploads/1/3/4/8/134875893/56700441e.pdf
    • https://cdn-cms.f-static.net/uploads/4406191/normal_5fe783dcd7d90.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102Hussain
    • http://smc.org.inhttp://smc.org.in
    • http://www.indictrans.org
    • http://www.opentle.org
    • https://22449060-8e30-4723-8828-967625cce342.filesusr.com/ugd/eddc50_2b8631a005974b809692779df6671412.pdf?index=true
    • https://11f44e1d-c86f-4be6-baa1-90970e7c24f5.filesusr.com/ugd/a298ce_9698dc7ba531404fbdaa1ae688182851.pdf?index=true
    • https://uploads.strikinglycdn.com/files/04d87da2-7d8c-47ce-a54f-9e5de98db13c/xunuvijilasisu.pdf
    • https://49b821e7-ee7e-41b4-809b-d0417b8c1ddf.filesusr.com/ugd/927743_27b8a997dd544fc8b8a2c4f1d3bb3022.pdf?index=true
    • https://uploads.strikinglycdn.com/files/26f90ae6-c130-4f27-b721-f95b8a82eba2/20089718667.pdf
    • https://356bbf58-84af-4bff-99a9-d03346e46411.filesusr.com/ugd/b5472a_a6c658865080469aa4b01bcd3a7703a8.pdf?index=true
    • https://4cd5eafb-d261-4666-a528-29b55b1676c1.filesusr.com/ugd/8dde66_4e5cae3c7d0f4e2d959929309c315e48.pdf?index=true
    • https://osgyansarovar.blogspot.com/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • https://gitlab.com/smc/meera/blob/master/COPYING
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d1a6.bin
efabc2a51c37c7c5ea14eadbab94f318a5f21bbf5d8be52754c6de50e3353e23		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD1A6 3288 bytes
font_01_sfnt_off0000dd6a.bin
a21f31373a2269e78de7dd292c69d64f666941be293655c17e6333c11675f34d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD6A 5436 bytes
font_02_sfnt_off0000efce.bin
3843f4581af06141ab662d0b91d2498a9e1a72ff6e45fed0b26caa072a2b9bfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFCE 5116 bytes
font_03_sfnt_off000100f2.bin
a58d62dba894ee3cc99a659a3be365115978b3e4e43d7320e58a897cdf58d9fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100F2 4944 bytes
font_04_sfnt_off00011101.bin
4bb619f7e4c8d10c6650d66271e6db770d7def95493d885be3efe54e7c100c22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11101 3048 bytes
font_05_sfnt_off00011d0f.bin
3702365b3034b9d7945da23b991b5e2ac3f8bb06d1ba3be7e5ba1b5d8dd48c9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D0F 2328 bytes
font_06_sfnt_off000127c8.bin
7f3a1ef136f36ba68bc36e5bcd31de243dce7f4b60e01c4bc40f508baeb48ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127C8 2604 bytes
font_07_sfnt_off000132a3.bin
cca5298ad2e89ab0d41cc63a8205340d9321530172a8d5dda1c28d17fa56adaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132A3 3840 bytes
font_08_sfnt_off000140b1.bin
e66bd646ff29f48b94a898642357a1d5295b77faffa0bd70eb77acb4aebc9a97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140B1 2108 bytes
font_09_sfnt_off00014a8b.bin
87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A8B 4336 bytes
font_10_sfnt_off0001582b.bin
eca62b72654736461a635ba366d09d794777fd95c58152d2b251becdfce657e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1582B 6640 bytes
font_11_sfnt_off000169d2.bin
3d60095f5eb704278e83d276fc5aa1c970b0e979ee80d986a08c0a829eec5252		 pdf-font-stream PDF embedded font (sfnt) at offset 0x169D2 11768 bytes
font_12_sfnt_off0001904c.bin
1fe4ccd105a2165bdc8813e8ca44fd8ac4690c69a3d9c3432bfadde42be3cbe3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1904C 3536 bytes
font_13_sfnt_off00019e2b.bin
c4869f4910101e9de114603d80c87e7465cc14a3edf423f39a6ef78b10429b6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19E2B 2608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.