Malicious PDF — malware analysis report

Static analysis result for SHA-256 c01086e09f3b4589…

MALICIOUS

PDF

86.2 KB Created: 2021-03-22 08:05:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 87729713b4a94d99f1c922f9612ba95a SHA-1: d178f083ff80df2ac54175e97271dadf4041a205 SHA-256: c01086e09f3b45899cef4f1bd524d9231783a02bda726cc0ada28993f20a3177
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are hosted on suspicious domains and are likely part of a link farm designed to obscure malicious content. ClamAV and ML classifiers have identified this PDF as malicious, specifically flagging it as a phishing trojan. The presence of embedded URLs and the heuristic 'PDF_SEO_LINK_FARM' indicate a strong intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=bernoulli%2527+s+theorem+proof+pdf
    • http://naturaitalia.space/fixanebedecfpd.pdf
    • http://kfnwejfnkwheklf.space/bent_rule_and_energetics_of_hybridization9y0rq.pdf
    • https://cdn.sqhk.co/ranemagesoga/YGjb1ha/47095407136.pdf
    • https://cdn.sqhk.co/niripakexad/hahchaj/alan_walker_faded_instrumental_song_download_djjohal.pdf
    • https://cdn.sqhk.co/wanazofemuvu/hbVAYMh/titiponifolufirone.pdf
    • http://anbieterbewertung-autoscoutch.com/animation_software_free_for_windowsnbd1q.pdf
    • http://meetraisins.club/letras_tablaturas_y_acordes_para_guitarra_de_canciones_en_ingles0p57h.pdf
    • http://tikovg.xyz/40736079080ta5kn.pdf
    • http://kakorixow.mygamesonline.org/oxford_university_press_catalogue.pdf
    • https://cdn.sqhk.co/leredupodeka/hb83AhV/fazos.pdf
    • http://social-whisper.ru/25th_wedding_anniversary_images_freew3j9u.pdf
    • http://peramabejakes.sportsontheweb.net/sugomatebafevevidifagef.pdf
    • http://soldonlittleton.com/why_is_apple_tv_remote_app_not_working5bs3g.pdf
    • https://cdn.sqhk.co/girewobo/yPia1jh/5114851178.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://ginowane.onlinewebshop.net/mapa_do_brasil_estados_e_cidades.pdf
    • https://9579f988-9383-433c-acf3-5fff76e0c882.filesusr.com/ugd/191a6d_0ba138a8841748d2969780dea53185b7.pdf?index=true
    • https://9db8f275-5044-409a-aa1b-3306d9dda9bd.filesusr.com/ugd/361f4b_94dc23bda85541f482427b358f302820.pdf?index=true
    • https://76bf42c0-7447-45ed-8dd3-33f9786ae3ae.filesusr.com/ugd/ba2c19_bb4d15b8bf044659836b09d985da0f35.pdf?index=true
    • https://147762ec-90f0-4523-8579-43cb3cd17c82.filesusr.com/ugd/6c48b9_ac37afa6786a49428302843c6218b1e8.pdf?index=true
    • https://6b137298-3864-41c5-aaa3-11744000c3c2.filesusr.com/ugd/b916f4_8e8b31a728f641a68dcec4ca48520934.pdf?index=true
    • https://6558ac43-984d-4e3a-97a1-dec8860611ed.filesusr.com/ugd/c73740_d06a2ce7e4784f6ca86d401d2f898c16.pdf?index=true
    • https://b3a1a1c9-4f8f-4fb8-b7cc-7339030cc889.filesusr.com/ugd/162fe6_648823e8e2754e9c9efe46513c119af2.pdf?index=true
    • https://19527f6f-7821-4b33-8e58-d909ab9a203f.filesusr.com/ugd/b18fc6_caf973a0d7084deabb081a3a00a4be3a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc0e.bin
93f7376efe907e22d9fad9973684724bea1b14bae2b8f670bc23dd01911601d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC0E 5152 bytes
font_01_sfnt_off00010d74.bin
cc03a6cef0c386e42acee4a857a183312061fed7c01ba065d3f0b974cf123465		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D74 12572 bytes
font_02_sfnt_off0001364e.bin
513236b56cd24d18f1916a542380e1656fe596eca6e14df5516133ff488da9f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1364E 16100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.