Malicious PDF — malware analysis report

Static analysis result for SHA-256 b27c893f03e5e788…

MALICIOUS

PDF

87.4 KB Created: 2021-03-31 22:49:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f1fe515beff278e7eef4fb5b773df33d SHA-1: 7757de2a187fb5079a499bf47573c09dadf58ee4 SHA-256: b27c893f03e5e788bd74abb713e8e039947517ff8fc34c57a50bce9fc1003371
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains numerous external links, many of which are part of a link farm designed for SEO manipulation. The document body, though heavily obfuscated, appears to contain metadata related to search keywords and PDF generation, suggesting a phishing or SEO spam campaign. No scripts were extracted, but the presence of many external URLs indicates a likely attempt to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/wix?keyword=northwestern+coniferous+forest+average+temperature
    • http://nickned.me/diposufarewagumaroduxaucxwh.pdf
    • https://cdn.sqhk.co/sesexibanobu/d9H0K4Y/70882750520.pdf
    • http://masovizifuzaro.iblogger.org/19129259692.pdf
    • http://huaweistoreukr.xyz/words_their_way_upper_elementary_spelling_inventory_sentencesa8xav.pdf
    • http://goshop32.site/28959587837zdftg.pdf
    • https://cdn.sqhk.co/nozedimasav/zjdYihM/fake_gps_location_joystick_apk_download.pdf
    • https://cdn.sqhk.co/bikegola/j8OBZ04/68742111790.pdf
    • http://lenudes.com/pacific_fire_vine_maplewnjip.pdf
    • https://cdn.sqhk.co/xeduwukaxusa/Ahdihgg/meditation_guided_sleep_short.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://16cc4848-9a85-487f-bc1d-da55f68f8448.filesusr.com/ugd/dcf86b_b814f56b8c95465bac72e0f3e38563fc.pdf?index=true
    • https://d5bea983-5bca-41ba-aae6-6b688785cc77.filesusr.com/ugd/9ec29b_a95bc15230d648098425e780a6c81f4e.pdf?index=true
    • https://6f81cef9-66a2-447d-9e1d-4c0427ef15c5.filesusr.com/ugd/4d935e_2a94b87c38f947a9b1678d221930b122.pdf?index=true
    • http://xakitidopapav.epizy.com/xadupavawedafewuronalesi.pdf
    • http://bugifub.epizy.com/logout_twitter_app_android.pdf
    • https://0e627107-309b-4451-a84d-e7064c41fccd.filesusr.com/ugd/04c368_d0299fa2cc2d4a9a8424f3d446de6185.pdf?index=true
    • https://s3.amazonaws.com/farezelof/md5_checksum_file.pdf
    • https://s3.amazonaws.com/fuwawibu/lukikininezipu.pdf
    • https://s3.amazonaws.com/wibedubosateg/content_validity_test.pdf
    • https://a0d2adcf-75bd-42a9-a42a-c23e1c6e9e1a.filesusr.com/ugd/85c99c_563f038659ba4189a0efc7b139b4f752.pdf?index=true
    • https://f4b9ed98-44c1-44e6-9966-d9817cd43de7.filesusr.com/ugd/9ced5d_39789551a86349c69585c9302ae4f1ce.pdf?index=true
    • https://9539e3d7-93ad-434a-85ac-22bd9bdb82bb.filesusr.com/ugd/df7b34_e8bb8606a8974a698d66e921b3ffde95.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101eb.bin
13ba61a80f131248725b8e54ae2eac4e4cbbe9ddd5ea2bd352074f57f7f8010e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101EB 5516 bytes
font_01_sfnt_off000114ab.bin
cf275be26c0d026042174fe5c93e89f1a684e850e9b76d85eff8c79ab06eb548		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114AB 11000 bytes
font_02_sfnt_off00013a35.bin
d25a34a56be33791b66bd7dbe91ee772b39b89bee75ba0e64ef3ea6cb2c10b57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A35 16260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.