Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3d805b9bd964f14…

MALICIOUS

PDF

89.0 KB Created: 2021-03-27 15:43:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 23ed4e732385989244334bc8151ad881 SHA-1: 13ee6d5b998f6ef39af75118f0c7b42157fedf4b SHA-256: b3d805b9bd964f14e79737af12014af2999d6b3b069e557bacb64cc0a827af84
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, with the primary URL being a keyword search result. This suggests a phishing or SEO spam campaign. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or distributing unwanted content. No scripts were extracted, but the PDF structure itself facilitates the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=ap+latin+practice+exam+pdf
    • http://vijevejumozugim.sportsontheweb.net/anger_iceberg_free.pdf
    • http://myimperfectmomlife.com/vocabulary_tests_for_beginners3wf8p.pdf
    • https://jimutovila.weebly.com/uploads/1/3/1/8/131856698/530fc1e73f33dc8.pdf
    • https://cdn-cms.f-static.net/uploads/4368240/normal_5fd27b7d33cf7.pdf
    • https://pekudexuvu.weebly.com/uploads/1/3/1/4/131437333/6216200.pdf
    • https://cdn-cms.f-static.net/uploads/4389104/normal_602864c3bf175.pdf
    • https://cdn-cms.f-static.net/uploads/4415934/normal_5fd8175d82eb2.pdf
    • https://xuzowezawejinat.weebly.com/uploads/1/3/4/3/134378303/nukoduv.pdf
    • http://buxeletifexid.medianewsonline.com/child_attachment_style_questionnaire.pdf
    • https://static.s123-cdn-static.com/uploads/4478961/normal_5feb8a8107932.pdf
    • https://cdn-cms.f-static.net/uploads/4366004/normal_6009c943ad599.pdf
    • https://cdn-cms.f-static.net/uploads/4445114/normal_60560f6579127.pdf
    • https://static.s123-cdn-static.com/uploads/4383702/normal_5fcb616cd0dae.pdf
    • https://samituvejasuw.weebly.com/uploads/1/3/1/4/131406365/5777188.pdf
    • http://siwosupegejolop.medianewsonline.com/how_to_start_coding_in_python_on_windows.pdf
    • https://bagirarivevi.weebly.com/uploads/1/3/1/3/131384609/pajerunibu.pdf
    • https://static.s123-cdn-static.com/uploads/4501029/normal_5fc8af3a5a36c.pdf
    • http://hookup158.fun/leela_james_fall_for_you2jg2a.pdf
    • https://static.s123-cdn-static.com/uploads/4416805/normal_5ff116cad490e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c45fc4b7-90a3-4e23-86bf-6b3d20c3a10c/xaroti.pdf
    • https://uploads.strikinglycdn.com/files/adf7465a-2dbd-4907-b6f7-2ecf6cc9a53a/47359559430.pdf
    • http://pulutugorivexek.atwebpages.com/mvcc_financial_aid_email.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef60.bin
073b826fe6b425ce501c478da34754cbfb285103a0e7c3a539b25e3365e67d53		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF60 5180 bytes
font_01_sfnt_off000100eb.bin
43a6127af475c7dcddf61e68384210d558d7a4cde2de6e4d2d9b0c10a88cbd40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100EB 7660 bytes
font_02_sfnt_off00011a2c.bin
41742eed106028d8c589eb6e3a587fe7d3a5865694e162b0b880fced02d63fd5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A2C 10976 bytes
font_03_sfnt_off00013fbd.bin
9559dd1bd908241551916101fda3d445a26f5c4b506a1423f23393456f9d5940		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13FBD 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.