Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc809a5ffa39e611…

MALICIOUS

PDF

83.7 KB Created: 2021-03-27 18:50:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4bcfffe1685e40790dc8520c08366f7f SHA-1: 89236a31099c4aba93198801af303c88fc40d747 SHA-256: bc809a5ffa39e6115ecdc03f5aecbdbd9642e13838bc15dfda3e16416ceaed0c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many pointing to Weebly-hosted PDFs, suggesting a link farm or phishing campaign. The ClamAV detection and ML classifier strongly indicate malicious intent, likely to redirect users to phishing sites or download further malware. While no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of malicious redirection techniques.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=graco+pack+n+play+on+the+go+bassinet
    • https://xoxatazafej.weebly.com/uploads/1/3/4/8/134861408/952f897.pdf
    • https://moxalabukeziro.weebly.com/uploads/1/3/4/7/134772199/9731123.pdf
    • http://komarovskii.xyz/human_biology_questions_and_answerszsvw7.pdf
    • http://lunatan.medianewsonline.com/glossary_of_accounting_terms_and_definitions.pdf
    • https://cdn-cms.f-static.net/uploads/4454168/normal_6044d07e55fdb.pdf
    • https://static.s123-cdn-static.com/uploads/4477369/normal_6004955e25791.pdf
    • http://jinevul.mygamesonline.org/58593397307.pdf
    • https://lulitetuxopibol.weebly.com/uploads/1/3/1/1/131164377/borawojixefutit.pdf
    • https://cdn-cms.f-static.net/uploads/4380226/normal_604ee54f92ce6.pdf
    • https://ropoluwuxonixol.weebly.com/uploads/1/3/4/6/134692090/f688d37.pdf
    • https://torudedo.weebly.com/uploads/1/3/4/3/134352944/dexavewuvake_dimesuxusudul_vadasup_dabewisapulopu.pdf
    • https://cdn-cms.f-static.net/uploads/4408713/normal_600e76074cf44.pdf
    • https://retariluwefise.weebly.com/uploads/1/3/4/8/134858211/bilus.pdf
    • http://liketime.online/nokovasifuxamusafixiw4eq9i.pdf
    • http://vevovifox.scienceontheweb.net/65798161789.pdf
    • https://kemusasozez.weebly.com/uploads/1/3/0/9/130969555/17a0a.pdf
    • https://niwuxepajo.weebly.com/uploads/1/3/4/6/134669398/3271252.pdf
    • https://cdn-cms.f-static.net/uploads/4369189/normal_604d951f62f3d.pdf
    • https://cdn-cms.f-static.net/uploads/4464541/normal_5fdbd7ffeda08.pdf
    • https://cdn-cms.f-static.net/uploads/4366398/normal_6026a13c5fcd1.pdf
    • http://vvvvvvvvvvvvvvvvvvvvvb.xyz/snake_plant_light_and_waterfyq02.pdf
    • http://select-get.top/best_vr_games_2020_ps4v0313.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://malejubu.myartsonline.com/70965937677.pdf
    • http://fazovalekotevo.onlinewebshop.net/passive_voice_past_simple_elementary_exercises.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010752.bin
21f3382bec2d43fc12d91bfba1a62fbd6c02754f23a982e01457912857781cc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10752 5532 bytes
font_01_sfnt_off00011a23.bin
2af1f13df5f51f9ac2cd2648c981520b92f527479cd2caf8596b288c1f0599f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A23 11220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.