Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6fb37e8343b3fa7…

MALICIOUS

PDF

122.4 KB Created: 2021-03-31 01:15:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b3efa360adb2cb262220d072c4aad84a SHA-1: da17bd3db35bee67ff3ce27154d40f5a4d0b5f72 SHA-256: b6fb37e8343b3fa724d01f7ced2cd27cb7dcf4caf9371a5e4dbbee78bce44dfa
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, characteristic of a link farm or SEO spam tactic, designed to drive traffic to various websites. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution via the linked URLs. No scripts were extracted, but the PDF structure itself is used to host these numerous external references.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=beating+the+odds+jump+starting+developing+countries+pdf
    • http://crysety.xyz/project_management_case_studies_and_answersk64u2.pdf
    • https://buwigare.weebly.com/uploads/1/3/5/3/135308802/nenemuda_gokefiwekipuvov_kusarefidejej_dotusenimi.pdf
    • https://fanuterose.weebly.com/uploads/1/3/3/9/133999321/kagalogomasino-boganutazagi-fuzepir-xuxozoja.pdf
    • http://fsbsiod.com/zokerinolavoluzavooq.pdf
    • https://kikokowenut.weebly.com/uploads/1/3/4/7/134713101/412172.pdf
    • https://ponegibafuzixi.weebly.com/uploads/1/3/1/4/131406662/sejokozixiluxasuri.pdf
    • https://rakiletapaleta.weebly.com/uploads/1/3/1/8/131856645/520379.pdf
    • http://minuette.me/mubirokukofolugezu2yyp.pdf
    • https://kojemugolipoxo.weebly.com/uploads/1/3/4/7/134729864/5105770.pdf
    • https://satufimitu.weebly.com/uploads/1/3/4/7/134715308/fojopat_sabemivukivo_latibewixu_kinizilibijupof.pdf
    • https://xadajepiba.weebly.com/uploads/1/3/4/5/134589644/4816911.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fomobiwudaz.rf.gd/82125000496.pdf
    • https://e5b7f393-9b83-42c5-a877-5b85c0c772c8.filesusr.com/ugd/77b42d_f99f32169fbf414b9693a285a88729f5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/87c13a65-661b-4c5f-b404-0f431e863553/6469168819.pdf
    • http://jebomunebuxod.rf.gd/beautiful_love_victory_worship_chords.pdf
    • https://b9387e75-0942-48a6-8a47-0bd3f0224277.filesusr.com/ugd/fc485c_621c28c3fd4b4ddd8d956e7a40614314.pdf?index=true
    • http://mixivilewajule.epizy.com/azeri_language.pdf
    • https://uploads.strikinglycdn.com/files/740df20c-a41c-465c-a502-26d754c023d0/myles_munroe_teachings.pdf
    • http://gevegure.rf.gd/153187619.pdf
    • https://uploads.strikinglycdn.com/files/00d03e20-730b-4fbc-ba29-91fd2f0bd6bb/what_is_survival_of_the_fittest_theory.pdf
    • https://d04c2b29-3777-4fe6-aaa9-ab96f87c3324.filesusr.com/ugd/43eb95_cc8c54907abf4841bfca016cdbdbf0ef.pdf?index=true
    • http://dumudolaba.epizy.com/dudonowunusizogodosaw.pdf
    • https://ff19a39e-637c-4fc6-80cc-750024e8dd37.filesusr.com/ugd/d217e2_120a36245a9a4c3b8cc4d51fbccd2c82.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001a022.bin
63b26fdd0f0433b87e9e69f9925b90e7481c1f8030493ea0de11a6f320bdc5cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A022 5752 bytes
font_01_sfnt_off0001b39f.bin
087b228f659a053aa61341a39c7ca4e1cdefb98e71374c1e340c5439979b2ed8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B39F 11696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.