Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4f781f2a67f0d26…

MALICIOUS

PDF

87.1 KB Created: 2021-03-26 08:43:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73105b1b98676502c1cbc3b8b3284a63 SHA-1: 1f8667e558f66ca3b5c8b64e96176e3aca5affe4 SHA-256: b4f781f2a67f0d269d2decfa76190b4a9a2df28ed31121251b593eeca520c9f7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document, generated by wkhtmltopdf, contains a large number of external links, many of which point to PDF files. The primary malicious URL identified is 'https://resalured.ru/award?keyword=biografia+de+andres+caicedo+pdf', which appears to be part of a link farm designed to drive traffic. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or SEO spam.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=biografia+de+andres+caicedo+pdf
    • https://rirosivipoxutu.weebly.com/uploads/1/3/2/3/132302830/wutuf.pdf
    • https://kufudazasa.weebly.com/uploads/1/3/4/6/134626120/507d72e17d2dcff.pdf
    • https://nugukijozagesek.weebly.com/uploads/1/3/0/7/130739433/nitezuwuzoxazudusali.pdf
    • https://vumenaxusavow.weebly.com/uploads/1/3/4/6/134600171/2315284.pdf
    • http://toworugesolur.getenjoyment.net/15068989367.pdf
    • http://jibakerutev.mypressonline.com/toxemutofuralejebofaluvi.pdf
    • http://memaberenux.scienceontheweb.net/48175900531.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b664c177-c21b-4b94-9141-5445a111b1a8/easy_vegan_recipes_no_carbs.pdf
    • https://98e80eac-0673-4bf9-a3de-4132461903b3.filesusr.com/ugd/1acd69_7b12ddb5fc774b4daad2ee917b0afbd8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a5f13992-c5fc-47c4-b0d7-93df3f780bc6/wexuxusejudixi.pdf
    • https://uploads.strikinglycdn.com/files/1b585f3c-d823-4931-9ac1-6eab069843d3/killing_floor_2_character_tier_list.pdf
    • https://e437b920-fa79-41d5-b67c-0ca059f4e77a.filesusr.com/ugd/d97c10_d1a950032e58484fba6b46eb8dcf308c.pdf?index=true
    • https://be9c8297-50e9-4ec8-be22-7cc4068ef96a.filesusr.com/ugd/fc3b0b_b41b9e5a88ef488d97de2923cdef9aa3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7c48c1b7-0325-4bc1-8519-2576f81d9a60/multiple_logistic_regression_analysis_definition.pdf
    • https://uploads.strikinglycdn.com/files/080559bd-c83f-49e2-8c3d-a5b72f788215/graco_my_size_65_rear_facing_height_limit.pdf
    • https://3d3b31fc-6152-41c7-b1d4-a4af3afcce63.filesusr.com/ugd/3f8d85_e08a19ddd9a74408ad3be3ea1ea57709.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8286cf55-fc85-4064-be7a-8665f22c7db1/biddeford_heated_throw_how_to_use.pdf
    • https://uploads.strikinglycdn.com/files/80bf0ef8-42b6-4aa3-bdc4-e26edce7c05c/ace_electronic_water_timer_3012_instructions.pdf
    • https://737bf953-b780-43bc-8af0-312ed5328a40.filesusr.com/ugd/017c44_ab68998b638e41bca67e7765709efdd8.pdf?index=true
    • https://30cc9e9c-6145-4029-bfdc-d0561bdb3a10.filesusr.com/ugd/0dcf4b_6dd7e164f8a54221ad3777d3e09fc6f2.pdf?index=true
    • https://3caa4030-7dd6-4be4-8a8a-e1981c45b3cd.filesusr.com/ugd/704988_7710a55d69fa497abcab3b1792350dbd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6bb3ae0d-72bb-464a-98a8-85448186d201/nituvikedesipiwaj.pdf
    • http://rofuvawitarul.atwebpages.com/clasificacion_de_las_cuentas_de_balance.pdf
    • https://uploads.strikinglycdn.com/files/5a8e749e-bcf2-40e1-b132-adb3ff54e9e1/ellen_hopkins_books_free.pdf
    • https://2ddf8be6-044d-4f30-b6fd-16c032829cd6.filesusr.com/ugd/9827ea_2a6a7880e97f4ecfb9d21ebd060b1f69.pdf?index=true
    • https://eee5dff6-7331-416e-acdf-593d0c386862.filesusr.com/ugd/21e9e0_cc9b005babb743d2b2b666f89ee8ccf3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000113b3.bin
65c019497223ca7e94bb6a74a12de9927d981f4cbaac58e5144a7060bbd45e5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113B3 5340 bytes
font_01_sfnt_off000125f9.bin
f9dba8197552cf13e0489ab6a09d693cc4684fd2b21c05d4e331fc661cced082		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125F9 12004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.