Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae0fc70412c42e5e…

MALICIOUS

PDF

75.7 KB Created: 2021-04-03 06:52:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7fa3ae46182811f7a3bed3036181f347 SHA-1: d745d3b5cce57fbf9a2c9165cc25c621202b9ded SHA-256: ae0fc70412c42e5ef44a9f21ca97290402a2611d1ab46f15286db2406a3f7c20
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a significant number pointing to Weebly and other file-hosting services, suggesting a link farm or distribution mechanism. The ClamAV detection and ML classifier indicate malicious intent, specifically identified as phishing or a trojan. While no scripts were directly extracted, the PDF structure and embedded links are indicative of a lure to a malicious website.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=physics+sound+worksheet
    • https://bipuvoru.weebly.com/uploads/1/3/5/3/135336843/5415454.pdf
    • https://cdn-cms.f-static.net/uploads/4460457/normal_5fdc020a2196d.pdf
    • https://zumegopepotiko.weebly.com/uploads/1/3/1/3/131398003/f0b6fc8e5.pdf
    • https://static.s123-cdn-static.com/uploads/4427105/normal_5ffeb5b66eac9.pdf
    • https://static.s123-cdn-static.com/uploads/4449996/normal_5fde2e2e0dc54.pdf
    • https://kobenavu.weebly.com/uploads/1/3/4/7/134714827/tijipogewuzidal-fugun-duzitove-zodimu.pdf
    • https://fuvodaxe.weebly.com/uploads/1/3/1/3/131379021/5633297.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_95818f77057c4318bac3a6a86ec7366d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3f4098ef-9757-45df-854e-98b73806491c/how_to_program_wayne_dalton_garage_door_opener_remote.pdf
    • https://uploads.strikinglycdn.com/files/4f9ccff9-6b2a-424b-b5ac-6056f3e1ea7e/xagiri.pdf
    • https://9e77dbea-16d6-438e-9859-4a68c5388828.filesusr.com/ugd/3225da_bd79a596879c411faff0159b1a0696e5.pdf?index=true
    • https://4de1274e-a26b-4e71-a0d1-d86f0cfee7ee.filesusr.com/ugd/ee4d88_b74e1f4e9fc94da39fda3f140aa270d7.pdf?index=true
    • https://68f2566a-c586-4d15-a5d1-3a72044c38f3.filesusr.com/ugd/ecec20_52c0ff37c7f74d5387e527e8d8558613.pdf?index=true
    • https://a815f367-2516-4b88-9496-eed07d5c1eb7.filesusr.com/ugd/665c20_6e4de8d249d6489d9dc1f9d0244e4e20.pdf?index=true
    • https://cd753cf5-d90a-4073-9c55-931a76e81761.filesusr.com/ugd/8826df_f2fc5fa4c9aa40eebdecc17e3295ebc8.pdf?index=true
    • https://57fc24c6-ba7c-430a-bdae-05304608b610.filesusr.com/ugd/bc9c68_dc518cff691d46ff88de5f865805e613.pdf?index=true
    • https://ac3db616-04cb-40f1-8357-c67041f5e20c.filesusr.com/ugd/eda9ba_0311d8a136ad4f19954ec064670bc72f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9276d4b1-d293-4ea7-983e-e82645feec1c/la_ciudad_de_las_bestias_characters.pdf
    • https://39c10a3a-92c6-412a-a1bb-b8a1fc48fbc4.filesusr.com/ugd/259099_0cad4a08ed824d189d1c66ea9ada5da9.pdf?index=true
    • https://c301b42c-deab-4116-afcd-a09dd0728425.filesusr.com/ugd/4bb894_243cbc2c221e401d866065c1264d78fd.pdf?index=true
    • https://684917c6-b594-4497-9ea4-141105166a5b.filesusr.com/ugd/0dc9f5_8fe01c8f2a0e45e9a5c00b0989267dbf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bb6d953c-9374-46e3-9c9b-338a6f282856/25032640029.pdf
    • https://ebc1add8-0b9d-418e-9e4a-1e287827e933.filesusr.com/ugd/ab63e3_1c37fa21b5644ec6a363cb6d83d6d37a.pdf?index=true
    • https://eda93683-a6ca-45e9-8056-ca7adea7f1dc.filesusr.com/ugd/d655db_ae6070d86d304bb88c2052f38c44abe3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec02.bin
0ced279916b9965197dbf90d92e2db33b15d3129ebf8c3b472369bffeb49d482		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC02 5044 bytes
font_01_sfnt_off0000fd3f.bin
cc14145601c4103edaf0add9bac00bff7f2e7b6bb33df9cd6a0f57ca6cc04d6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD3F 10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.