Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfded0d8e4235897…

MALICIOUS

PDF

75.1 KB Created: 2021-03-31 21:49:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 08be766de30669fe42b4c9692ff6c007 SHA-1: 28bb86934ee61001151ebab2ad92022e22df7446 SHA-256: bfded0d8e4235897236596c5d7769b96ca49237c10899252466b5acfbde818d9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for SEO poisoning or phishing campaigns. The heuristic 'PDF_SEO_LINK_FARM' indicates a high volume of links, with one prominent URL pointing to a suspicious domain. ClamAV and ML classifiers also flagged this PDF as malicious, specifically as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=singer+model+201-2+value
    • https://cdn.sqhk.co/junulevi/ifibKjj/dwayne_johnson_age_12.pdf
    • https://cdn-cms.f-static.net/uploads/4387816/normal_600fc717dad74.pdf
    • https://cdn.sqhk.co/zuxosutuku/efEhDLV/80982510991.pdf
    • https://cdn.sqhk.co/webunojixisa/ie0jd5e/lusinup.pdf
    • https://cdn.sqhk.co/pawapoma/2WRhajj/u_box_tv_streaming_reviews.pdf
    • https://static.s123-cdn-static.com/uploads/4446772/normal_5fec5003eac77.pdf
    • https://static.s123-cdn-static.com/uploads/4417662/normal_6001f72b28256.pdf
    • https://cdn.sqhk.co/xabiximakef/hfDbiiP/towudepin.pdf
    • https://static.s123-cdn-static.com/uploads/4408172/normal_5fc66c3d378cc.pdf
    • https://static.s123-cdn-static.com/uploads/4416930/normal_5fe1317c6c879.pdf
    • https://cdn.sqhk.co/werutojij/MVibM7W/mcd_number_near_me.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://780c8f77-0f51-49ab-8dd1-60a90eb210a4.filesusr.com/ugd/1b8612_880bca21baa047bc9ed89ff0770ccb27.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b0be9504-e98f-4e91-be6c-ea6961ac44b6/when_to_use_positive_or_negative_z_score.pdf
    • https://cf176ec6-4820-456b-adf9-61e5f06c968f.filesusr.com/ugd/43d598_ce8afde771c94a51b3056beb983bc95c.pdf?index=true
    • https://ea7788ad-ef5a-48b5-911d-3ad522045378.filesusr.com/ugd/f3bfbb_b6ba610aef3c4a1aae518cb718752e4f.pdf?index=true
    • https://b9eb3541-094c-4606-b101-17c2291fd6e1.filesusr.com/ugd/a18601_8a14db3c95e8467c837277a397ed92ed.pdf?index=true
    • https://883cd1dc-02d0-4059-8fa2-99201f92b631.filesusr.com/ugd/6166c9_1bcb174677a44fa8a0d733f4cdb6a46d.pdf?index=true
    • https://eee7329a-c4d5-4508-a8fd-a8ba515f7d9f.filesusr.com/ugd/5ed802_06c026e0a618424ebafca409f0e0ac3b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d4028e48-47ab-4ed8-a1b8-f1157a6025b0/how_to_find_the_volume_of_a_cone_in_terms_of_pi.pdf
    • https://1423d76f-a56f-4481-bf87-726e17039346.filesusr.com/ugd/14aee2_ff5dd55931144cc4aad6396a5162979b.pdf?index=true
    • https://6c71f620-b6e5-46cc-9e58-526c5f0a7a41.filesusr.com/ugd/1c90dc_e173c3ef830641398319a5d92716727a.pdf?index=true
    • https://e668d0bc-6b9c-4787-ac64-5363b724ef62.filesusr.com/ugd/6ec699_6976b060a23445ce8539dbf35f98b5ab.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e86576d1-6e52-457d-b56b-75fe0609763b/buxatux.pdf
    • https://uploads.strikinglycdn.com/files/11b749ba-c0ab-4d25-9eda-928841511bf5/suzuki_quadrunner_250_service_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e76a.bin
495eaf0dcff7dc430407f2a736ec292a3c864bb9a937ecf055b23701bc9ef125		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE76A 5488 bytes
font_01_sfnt_off0000fa0c.bin
45df9c4ee965b63d144b309d66db1cfbddba785cf7fb9ea8c3af204e9ed51e24		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA0C 10984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.