Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae5e12d313522d19…

MALICIOUS

PDF

127.4 KB Created: 2021-03-20 22:19:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 855ceed20a9e451c3c1d9fc6090b99ca SHA-1: b0b5aad3ce85a2e8cb2139fee52dd75f598217e8 SHA-256: ae5e12d313522d1962bd06a52d91ab33e2078388d3bbb8d60e850b3cbf5ad1ba
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of external links, many of which are hosted on disposable domains or redirectors, indicating a link farm or phishing lure. The primary malicious URL identified is `https://jottigo.ru/strik?utm_term=40+hp+johnson+outboard+wiring+diagrams`. The presence of PDF-specific heuristics and the ML classifier's high confidence score strongly suggest malicious intent, likely related to phishing or malware distribution via the linked content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/strik?utm_term=40+hp+johnson+outboard+wiring+diagrams PDF link annotation
    • http://mofonuf.medianewsonline.com/tobira_book_review.pdfIn PDF document text
    • https://cdn.sqhk.co/gujipiror/bVBjeig/bebexusajawetuwemuw.pdfIn PDF document text
    • https://cdn.sqhk.co/dodanadofu/g8Kijgm/9907702802.pdfIn PDF document text
    • https://susejovidexoxi.weebly.com/uploads/1/3/0/7/130775922/596646a.pdfIn PDF document text
    • https://biwomewiwuxe.weebly.com/uploads/1/3/4/1/134131409/logubane.pdfIn PDF document text
    • https://cdn.sqhk.co/xoguvamev/hbggThi/zuwiwoxuka.pdfIn PDF document text
    • https://nubizuvilokimid.weebly.com/uploads/1/3/5/4/135401099/xatowabujupod.pdfIn PDF document text
    • https://jujivonigipegi.weebly.com/uploads/1/3/1/4/131453429/1966568.pdfIn PDF document text
    • https://cdn.sqhk.co/miwataxanis/jidjeij/kathy_scruggs_reporter_obituary.pdfIn PDF document text
    • http://tatuxuvoziparu.mywebcommunity.org/solid_principles_uncle_bob.pdfIn PDF document text
    • https://cdn.sqhk.co/padixemugex/w4jiI29/tejomuwisavamibexoxutaru.pdfIn PDF document text
    • https://vumevomuw.weebly.com/uploads/1/3/4/3/134335884/tokuvew.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/dd545b3e-9abd-4ae6-9020-424aa1794f45/21226965072.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/72039853-30ff-42bb-a516-130b46d8f230/gedemozawagezap.pdfIn PDF document text
    • http://luzojora.atwebpages.com/stored_program_concept.pdfIn PDF document text
    • https://5e7fdb44-65a6-4d88-9b36-b69c04d36e08.filesusr.com/ugd/b547b4_68cea177c9864ff490c88487a0e040a6.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/23cd003e-f61f-451b-bbeb-beac485e8341/how_to_run_fast_5k_race.pdfIn PDF document text
    • https://e7f45dcf-1957-410e-85b1-216e85a225c4.filesusr.com/ugd/a2c2bc_e5efbbc7d2b84e608e4ecb55499d6d34.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/35639ceb-bfcb-455a-b481-2e5061f0ccb0/how_do_you_close_out_the_income_summary_account.pdfIn PDF document text
    • http://faxiruvud.myartsonline.com/interview_questions_and_answers_for_store_manager.pdfIn PDF document text
    • https://86908e24-11f3-43a1-9346-bf531f45ee0b.filesusr.com/ugd/97493d_b3ace560bdf64330a2863cc0b1c0fb35.pdf?index=trueIn PDF document text
    • https://f89b8795-a90f-4359-81e0-6309601a98d9.filesusr.com/ugd/8e7730_21144a3c85a641f585dd41dd27e4ea05.pdf?index=trueIn PDF document text
    • https://ddb0fe67-a09a-413d-b59a-c21b1dde3186.filesusr.com/ugd/3f0e57_a0fc09bda0c74914a5bd27c71e08332e.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/774f7430-d909-4f9c-89af-fc947e301a87/devils_bible_in_english.pdfIn PDF document text
    • http://namepafubi.atwebpages.com/how_to_connect_microsoft_sculpt_comfort_keyboard.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8f95dfda-bc61-44c8-85c3-2325f37ab0f9/can_you_get_first_aid_certified_online.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b476.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B476 5784 bytes
SHA-256: 648f795e602ec35daa9f19f8b7cd87a868109f04f7c44a707b844b4a173cf6d4
font_01_sfnt_off0001c810.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C810 11660 bytes
SHA-256: 05d1dda8906f9c9399d56de4d7f263495bec007d318ec420f8412c81e28019de

Open this report in the interactive analyzer, or submit your own file for analysis.