Malicious PDF — malware analysis report

Static analysis result for SHA-256 acf5594604ca1610…

MALICIOUS

PDF

103.9 KB Created: 2021-04-06 01:45:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0361fa03275b044e553adf67d3512c6 SHA-1: 64c39abec0092ccecc8b39f2d12bf2b8d50ae923 SHA-256: acf5594604ca161024d6553aee4505c2d5dd061ef74a7de673263834dc41bd4b
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDFs, suggesting a link farm or SEO manipulation tactic. The heuristic 'PDF_SEO_LINK_FARM' and the presence of a suspicious URL indicate a malicious intent. ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious classification. No scripts were extracted, but the overall structure and URL patterns are indicative of a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=libros+de+alfonso+lopez+quintas+en+pdf
    • https://cdn-cms.f-static.net/uploads/4490369/normal_60262dfe70bda.pdf
    • https://cdn-cms.f-static.net/uploads/4404738/normal_601af7edb7e1e.pdf
    • https://static.s123-cdn-static.com/uploads/4387035/normal_5ff33b922b75e.pdf
    • https://static.s123-cdn-static.com/uploads/4392649/normal_5fc9909d2c34e.pdf
    • https://cdn-cms.f-static.net/uploads/4380674/normal_6043552e2c34a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7a12f339-42b7-4ab9-bd33-338257220cfd/modimerakojifodax.pdf
    • https://s3.amazonaws.com/sumesawoxajew/airport_utility_android_apk.pdf
    • http://kunijudodo.rf.gd/zidemesorok.pdf
    • http://kilobawul.rf.gd/genetic_engineering_by_rastogi_download.pdf
    • https://s3.amazonaws.com/dipafuxe/how_does_the_jane_austen_novel_sanditon_end.pdf
    • https://s3.amazonaws.com/lovetijif/siwuj.pdf
    • https://ac09d6fb-20d1-47e2-97cb-2568fc137cdf.filesusr.com/ugd/03dcd4_acfcc8aedb5a4345a5f51c314c89b5e2.pdf?index=true
    • https://291e86d0-b4b7-455e-aeca-30cd05102b29.filesusr.com/ugd/384a46_bf6f597dd04d4505b32046f075f729ec.pdf?index=true
    • https://s3.amazonaws.com/tamovagag/gavawimanawemivetaxozit.pdf
    • https://c18d9829-3add-4afa-bc87-35007fe3998a.filesusr.com/ugd/70c1ec_f0bc89115f6a4e2d9286249a29f9bdd4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ea5aee69-a726-44e5-992d-7e2a9eed534f/what_kind_of_ammo_does_a_taurus_g2c_use.pdf
    • https://6cb1c90e-07cf-4522-b85d-4edd8abc33c8.filesusr.com/ugd/0c41e7_a2a172f69d4842b5bd6ab0ab9e014569.pdf?index=true
    • https://uploads.strikinglycdn.com/files/24009da7-8ebe-4173-aa71-1e3c1d1d4a68/90608879160.pdf
    • https://s3.amazonaws.com/kubafezin/how_did_lewis_explain_science_as_religion.pdf
    • https://bd7a0a6f-bbfd-49cc-ba41-c3f2778102d9.filesusr.com/ugd/9ea91e_636c08c7ae424dad824dc14e00551344.pdf?index=true
    • https://0064f1d1-54c8-4480-9b3d-4454d2540f11.filesusr.com/ugd/b0b521_0542084e1f3947f0811d3bdc7936122b.pdf?index=true
    • http://tagugatukosag.epizy.com/39140534046.pdf
    • https://uploads.strikinglycdn.com/files/6370244d-4da3-4e67-a767-c6f740c3d556/680302484.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015405.bin
87e81ce81e69ba7c9c8ccc670aac510d4f24390c3ad0b477cff035bcf6078a53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15405 5292 bytes
font_01_sfnt_off00016616.bin
e1092363701e97a622cee563e31d1eee9c001bc9f08d6584a6135a959738820c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16616 13104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.