Malicious PDF — malware analysis report

Static analysis result for SHA-256 c11a5d303e5b0597…

MALICIOUS

PDF

87.8 KB Created: 2021-03-15 15:14:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cebe0e764c30937a469cb1cc528cf7b6 SHA-1: e4f2a0c998742547ccf865c0453995031a88147a SHA-256: c11a5d303e5b0597b5df094b2bae45e3f9637e650b36442be1d524ef1735a1a5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which point to potentially malicious domains, suggesting a link farm or phishing attempt. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic strongly indicate an attempt to direct users to external, potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=bebe+social+link
    • http://domsale.xyz/vipowumuvepimemoradiptfca2.pdf
    • https://dexexufadojobiw.weebly.com/uploads/1/3/4/1/134109071/vogirifimodew.pdf
    • https://cdn.sqhk.co/nowonipewo/DhinUhd/lezunir.pdf
    • https://static.s123-cdn-static.com/uploads/4412413/normal_5fcf9320bb52e.pdf
    • http://toppiksnack.xyz/tojusupilesijovipuxtuhyy.pdf
    • http://salonop.xyz/liluduju3bkub.pdf
    • https://cdn.sqhk.co/wogokodu/haDq9hh/car_speedometer_application.pdf
    • https://static.s123-cdn-static.com/uploads/4387052/normal_5fc6456128f14.pdf
    • https://cdn.sqhk.co/juvebuzizej/6xjhsij/garfield_fitness_park.pdf
    • https://kegegofelev.weebly.com/uploads/1/3/2/6/132681159/0d5cf4a.pdf
    • https://xivexibajewubud.weebly.com/uploads/1/3/1/0/131069970/doluzabofududogu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4a39c6c9-989b-4d11-b2d8-cc0becc7f193.filesusr.com/ugd/ef0078_c7702aad04e941348feb9cb9f413ff59.pdf?index=true
    • https://add83a7c-0e31-48b3-928b-061d82ba9144.filesusr.com/ugd/205ae4_102910f60c144575972d124e522dc56c.pdf?index=true
    • https://03ca3561-abfe-48ca-9b59-b1b2b77f8126.filesusr.com/ugd/1af49e_31cad2fc10144bdaa147064029bea7b2.pdf?index=true
    • https://21c505bb-01ca-4817-a549-4ed1ebba5040.filesusr.com/ugd/7d7105_4d4c12544697412199b18255f1bd6d43.pdf?index=true
    • https://ecfc1f44-6648-4072-bff5-6ee4adcfbe4f.filesusr.com/ugd/e5a943_e72d0f97e88c486182af144e3b2bcdf4.pdf?index=true
    • https://ebd73b9a-b255-48a5-b781-2bd84b483b4c.filesusr.com/ugd/956c05_fda7b768a2d94e20b903685634e32f14.pdf?index=true
    • https://64b67c6e-fbbd-4787-add8-9ed3e274c95c.filesusr.com/ugd/eb6612_d3e86d93b24b4d46809e94776be56858.pdf?index=true
    • https://b615eccc-4413-4b1d-8109-ede925130a83.filesusr.com/ugd/0994f9_ac6168dd832040cc835c2b99b34ffaae.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000103e8.bin
e369eee04f3989fd27c8652c07f6f06394c8a662c2b3e6c559be9df892c30e92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103E8 6412 bytes
font_01_sfnt_off000119ef.bin
4292f5d593e723c736b8cd6d2a41eac7f6ef599ed1478647526907cb446132ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119EF 4952 bytes
font_02_sfnt_off00012add.bin
b59ece4a3e774d60a77651cd120088413a7170b78b8ebbf5fee291fb79424807		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12ADD 11328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.