Malicious PDF — malware analysis report

Static analysis result for SHA-256 aff733c4b31aaf4f…

MALICIOUS

PDF

76.4 KB Created: 2021-03-19 07:49:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fa2a07ee47ff316626596f839235522d SHA-1: 7f7f8dd8c68c3c190ba5b9c36724e18a49e15dbd SHA-256: aff733c4b31aaf4fea24450ec6ec80fc9d93fe6f5c667be421c79267134f273e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to suspicious domains, indicating a link farm or phishing attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a phishing or malware distribution campaign, likely using JavaScript for exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=mossberg+500+tactical+cruiser+review
    • http://bostpolamos.site/9288765952xhnvj.pdf
    • https://kofudisefases.weebly.com/uploads/1/3/4/0/134018526/mefak_siligotefarevox_jemado_bezewap.pdf
    • http://callup.today/manimuvafavufiwewunmtfa.pdf
    • http://chambrehub.xyz/where_can_i_watch_twilight_for_free_2020pqp6v.pdf
    • http://italdom.fun/what_are_neoprene_face_masks_used_forx3jgt.pdf
    • https://zigakenipipoto.weebly.com/uploads/1/3/4/1/134131781/velojoluve.pdf
    • https://mabajiluvepe.weebly.com/uploads/1/3/1/4/131409333/tuketawele.pdf
    • http://salet.store/greyscalegorilla_s_guide_to_x-_particlesfbw2v.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8d90b851-447f-4cfc-ac95-1e867b71b983.filesusr.com/ugd/b371d9_b2d460f297cc403aa445db9673aa8931.pdf?index=true
    • https://95fbbc11-640f-4658-acdf-6e09da746871.filesusr.com/ugd/e42ee3_53cdf8b55b0c4d009b9ced5eb55ffd29.pdf?index=true
    • https://769966b8-4adc-437e-bba8-f198cf6e171b.filesusr.com/ugd/41a0b6_df49743430b34f77b00da30e98a01b95.pdf?index=true
    • https://ba30dffa-51fe-4caa-9472-6f142403a9bb.filesusr.com/ugd/c2007e_5c4e50a808f841d4850d6db5766a66d9.pdf?index=true
    • http://gebawapevala.epizy.com/panav.pdf
    • https://1261df91-4e32-40b2-8b8a-4050d3c54cbb.filesusr.com/ugd/df69c1_d82c79ad703c4b33b5abd2d634002fbf.pdf?index=true
    • https://28ed73df-463f-41d7-bc87-4635118fd8e0.filesusr.com/ugd/74acc8_096089b547804dbb943913c8ea46723b.pdf?index=true
    • https://80b1f93a-fe74-4439-a81d-34814fa7a505.filesusr.com/ugd/e56fe2_cd157638191c4f4eb89761fecfb95e97.pdf?index=true
    • https://c72a6d71-2fad-4f5a-8b7a-a7c165485bce.filesusr.com/ugd/a4966f_e6c19cf0cc4b49f88a5f1a71ca6a420c.pdf?index=true
    • https://989eff4c-946f-4221-9817-1a8d60f2082d.filesusr.com/ugd/7edf14_f792036afcf448bfb08c1f1ca51ab208.pdf?index=true
    • https://c1d61d78-9bae-425c-b347-ee91470fe4f1.filesusr.com/ugd/60933b_487bcedc27614a988718856d22270114.pdf?index=true
    • https://0296ecfc-28ae-4fa5-925c-67a25994cace.filesusr.com/ugd/c88839_3a01df7b2f74475980e0638db1f2efbc.pdf?index=true
    • http://duximamezuzef.rf.gd/ruin_and_rising_book.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebeb.bin
9145a17b651e3d846d0f114628aa5c521eca3fdeffe75b8f9092ee3c0da0979e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBEB 5528 bytes
font_01_sfnt_off0000feee.bin
fed9c65e384ca5a30b72ff9162b7f904c57b58c255d9d484bdb790b5b94ed399		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEEE 10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.