Malicious PDF — malware analysis report

Static analysis result for SHA-256 af2893e1bacbed2d…

MALICIOUS

PDF

69.7 KB Created: 2021-03-08 15:35:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-10
MD5: d9a5073a3d8d8d720cd4587fc46e2160 SHA-1: 8a7b8899714032d0039132449dbd8bb0649d8f52 SHA-256: af2893e1bacbed2d4d74860aa48a32a0b595c4a576ec17882a0662975060d09d
196 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=adjectives+and+adverbs+elementary+exercises+pdf PDF link annotation
    • https://solakozejifu.weebly.com/uploads/1/3/5/3/135347449/kewobidumiretokisu.pdfIn PDF document text
    • https://wojuguzibuliru.weebly.com/uploads/1/3/4/8/134896427/b11f0218e8fc.pdfIn PDF document text
    • https://ranoxezumurew.weebly.com/uploads/1/3/5/3/135345736/zopomaxovumojeb_pejugeguzudax.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/xezujuxoz/best_job_application_letter.pdfIn PDF document text
    • https://s3.amazonaws.com/xupovobejanam/how_to_reset_a_maytag_bravos_washer.pdfIn PDF document text
    • https://f13dd0f9-fe0a-4257-a88d-d9af1a1cf0e3.filesusr.com/ugd/d954c5_5296249e4f66460c96de0093fe21ac92.pdf?index=trueIn PDF document text
    • https://7f3356c1-ec1f-498a-9d41-5b36c14d87b7.filesusr.com/ugd/98d33d_fb375c3d90f8431daae03606d6a15818.pdf?index=trueIn PDF document text
    • https://ec5c17a1-061e-4a2c-a9e6-b3561ba71229.filesusr.com/ugd/299074_156a56bafc4640ad8c5ac1e54f5151c4.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/fizufapu/4993773683.pdfIn PDF document text
    • https://s3.amazonaws.com/winumigutam/18051507528.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/111df4a9-f235-4135-b5ba-6647a200974d/pujoromezimirifijesiwo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1635426c-a5bf-43ae-b6ef-87f865eb2d3f/how_to_change_a_door_seal_on_a_front_load_washer.pdfIn PDF document text
    • https://s3.amazonaws.com/wujapu/lugares_turisticos_de_alemania_informacion_en_ingles.pdfIn PDF document text
    • https://s3.amazonaws.com/neviwove/60802043617.pdfIn PDF document text
    • https://s3.amazonaws.com/desekusoxi/wordpress_ecommerce_templates.pdfIn PDF document text
    • https://bf68d742-fb98-404a-ab47-1dcf24f7df52.filesusr.com/ugd/83e7fd_b2231d72d8d548a98c79c5c37de99428.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/siwixomudit/virology_textbook.pdfIn PDF document text
    • https://s3.amazonaws.com/fapaga/98652645965.pdfIn PDF document text
    • https://1e16f6d7-285b-4488-bf07-d3e24ac90e20.filesusr.com/ugd/417718_260415d4b06a4a9aaec8e941f23f96cb.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/vukujidor/41443627398.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0dbabfa8-60bb-468c-ad04-46ff9ca07c0f/less_than_zero_book_review_ny_times.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d27f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD27F 5736 bytes
SHA-256: 384c596389292756e9be7bacc297aa972356ae71d1fa3aed9a3641a685b26f49
font_01_sfnt_off0000e5fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5FB 10320 bytes
SHA-256: 71290294bb3f4ae28fe4cbdffaa3c32af65cbf38cc82d9eef8f3427491f3624a

Open this report in the interactive analyzer, or submit your own file for analysis.