Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5464635eb2b2665…

MALICIOUS

PDF

139.7 KB Created: 2021-05-25 14:47:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a7da4a366929ffd0f0e2982ca8f67d74 SHA-1: 594ee80556338a2d3b8a5147b82cff7375efdc64 SHA-256: b5464635eb2b266523e022194eeb419067e90d946a1472be91f9552dee0d0c1c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by both ML classification and ClamAV, indicating a high likelihood of malicious intent. The heuristic findings reveal a PDF containing a large number of external links, suggesting it's part of a link farm or designed to redirect users to potentially harmful content. While no scripts were explicitly extracted, the presence of numerous external URLs, including one with a search query parameter, points towards a phishing or SEO manipulation tactic. The document body is heavily obfuscated and contains metadata about its creation, but does not provide clear instructions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9962

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=are+steam+locomotives+still+used+today
    • https://static.s123-cdn-static.com/uploads/4379726/normal_5ffe29d7c2b1e.pdf
    • https://rofizikijomosuj.weebly.com/uploads/1/3/4/0/134012810/davekotosadita.pdf
    • https://xiwupegolowiba.weebly.com/uploads/1/3/1/6/131606046/42b11d5578a88.pdf
    • https://static.s123-cdn-static.com/uploads/4417992/normal_5fdcc267e2908.pdf
    • https://static.s123-cdn-static.com/uploads/4411501/normal_60094e99a8c79.pdf
    • https://nimimetifav.weebly.com/uploads/1/3/2/8/132814674/gixufarer-videbuzovuben-puzinugubara.pdf
    • https://cdn-cms.f-static.net/uploads/4448110/normal_603871aa3e7ec.pdf
    • https://tatunonomufobuf.weebly.com/uploads/1/3/4/3/134355176/7415302.pdf
    • https://lobumemimakagom.weebly.com/uploads/1/3/3/9/133999871/244c897311.pdf
    • https://cdn-cms.f-static.net/uploads/4476133/normal_6048c6fdea2b9.pdf
    • https://povemiloten.weebly.com/uploads/1/3/4/6/134608376/finesawafijisa_famoteku_xadog.pdf
    • https://milafesubori.weebly.com/uploads/1/3/4/7/134745217/af9c61774a876.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/1a1413f1-697c-49fc-af0c-30b303bf0882/bell_bike_computer_set_up.pdf
    • https://s3.amazonaws.com/kawotexulozax/97980277551.pdf
    • https://s3.amazonaws.com/tixedujegibex/ratezotuseziralozi.pdf
    • https://s3.amazonaws.com/fajixe/206244436.pdf
    • https://uploads.strikinglycdn.com/files/59a2c251-b330-42ee-a3bf-889b02fb3a97/34998178668.pdf
    • https://uploads.strikinglycdn.com/files/82017413-25e8-4679-8be5-92ea8f63caf1/35396769345.pdf
    • https://s3.amazonaws.com/jutenojamega/fisher_price_monkey_swing_motor_replacement.pdf
    • https://s3.amazonaws.com/mojivikapeti/jixejidubikitejeso.pdf
    • https://uploads.strikinglycdn.com/files/284894d4-aae1-49d3-a3e6-33801b3d47e6/lusodexasuk.pdf
    • https://uploads.strikinglycdn.com/files/3be7122f-637c-405f-ac44-559408dff929/rock_band_4_midi_drums_ps4.pdf
    • https://uploads.strikinglycdn.com/files/9f1df9a8-25dd-4ffd-aed1-8bc291e2775c/electrical_and_electronics_engineering_books_free_download.pdf
    • https://uploads.strikinglycdn.com/files/e282abcc-c7fe-4cf1-bb9a-4b1b2df2cbb6/prentice_hall_gold_algebra_1_answer_key_form_g_chapter_2.pdf
    • https://uploads.strikinglycdn.com/files/43964584-cd28-4ddd-8f74-45a7be5594b5/inkscape_crop_image_to_path.pdf
    • https://uploads.strikinglycdn.com/files/30df25c6-7b4b-4706-974f-43c73ce9ff6c/7062668899.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001e422.bin
580470a0c92f30683d2675de22579d3bc51e8ea25149c6ed046dd02c947a5b53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E422 5236 bytes
font_01_sfnt_off0001f5e8.bin
b00d3a3f7384a4d5d388b708d26a8a2d6357b7d332393e6f5011a8d565009f41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F5E8 13352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.