Malicious PDF — malware analysis report

Static analysis result for SHA-256 c13832b242654387…

MALICIOUS

PDF

82.0 KB Created: 2021-03-05 18:58:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d62b76fb7332d56b62d78c1dd3de0abc SHA-1: cd338fcd3326e6a8cbf92fa3f515961c5ae762e8 SHA-256: c13832b2426543877b22e1b7e98e3cd1a890b2aedab537cc5438c54b24ad602a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious and phishing-related. It contains a large number of external links, suggesting a link farm or redirection mechanism. The embedded URLs point to external sites, likely intended to host malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/wix?keyword=planet+earth+caves+video+worksheet+answers
    • https://cdn.sqhk.co/bijozugetav/gjjcB4b/how_to_say_okay_good_in_spanish.pdf
    • https://static.s123-cdn-static.com/uploads/4454672/normal_5ff92bbd20453.pdf
    • https://cdn.sqhk.co/feripamapuv/iigrget/98897280861.pdf
    • https://cdn-cms.f-static.net/uploads/4485309/normal_601b4a4cd13ce.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b7af6bb9-01eb-4839-ab56-764651de4344.filesusr.com/ugd/2486b5_4cc3c2ff838541298bf47bb191a86483.pdf?index=true
    • https://c6f55193-7475-4343-97dd-33cb3b141b6a.filesusr.com/ugd/808d8c_78a49a2233504db9b9f0413f9a15aed2.pdf?index=true
    • https://s3.amazonaws.com/lolaritemukole/diverse_learners_guide_ldoe.pdf
    • https://1ce8651a-bfbb-4b9a-b1bf-24b3b574775a.filesusr.com/ugd/ac72e0_400a29619ffe4366bfce97fd419ffc2d.pdf?index=true
    • https://90ff81fc-98d9-4e53-96a3-aaa5c1c2042e.filesusr.com/ugd/bb5aff_8cdbc711ef2f4073a7a59c738052092e.pdf?index=true
    • https://ac614e2c-2e00-43e4-a80f-2c6bce9fb64b.filesusr.com/ugd/f103bb_d0da59275fcb4265990cfe0b9ec3cb84.pdf?index=true
    • https://83d12552-0bc1-4415-b221-1da25caacb9b.filesusr.com/ugd/1e11d0_46b6bbe5d8574eaea29267faea365c31.pdf?index=true
    • https://d78d2789-9aef-4bfd-88be-9093bec910ef.filesusr.com/ugd/87a178_736edffa507c4791a361b78215332374.pdf?index=true
    • https://s3.amazonaws.com/tapelu/how_long_is_harry_potter_5_book.pdf
    • https://d12e84a0-9808-45da-82c6-613dfe540d1b.filesusr.com/ugd/dc8a8e_cc348f7ccc894097b2928883eb756c5e.pdf?index=true
    • https://6998e30b-c911-4113-ab34-4c15204891c7.filesusr.com/ugd/429b25_fd8906bcfcdf4de5b32ed29bd5dc09e9.pdf?index=true
    • https://667abc8f-92ca-45d9-bc9d-789c80a68858.filesusr.com/ugd/dcd78f_9c46948ccfff4638ab9aea0e00441b96.pdf?index=true
    • https://75e6061f-eb7a-4ce8-b546-077bf96366c3.filesusr.com/ugd/2dfd19_8b67e766c3bb4a4d976682e6bd83c5fd.pdf?index=true
    • https://d8acad56-eb9a-42d1-a06c-a695c5b02328.filesusr.com/ugd/0ad6c7_90c7a293963941339ee32ba89b425b2d.pdf?index=true
    • https://99442e0c-e188-470f-b1e9-a2082f9e7f28.filesusr.com/ugd/2274a7_cee49fa9d69f459895d7c88c3c826309.pdf?index=true
    • https://5e54824a-8208-41b0-8aeb-7c017e8cfb46.filesusr.com/ugd/f64db8_e94729284fa449ba99de969599109a09.pdf?index=true
    • https://59b7e61f-9850-45ee-add2-e9646db267e4.filesusr.com/ugd/5b9365_3882458ab17c498682a06867c2f56c8a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010460.bin
4b45b405d5ec373ab122dabc72195e0da6f197784d0107a2d885c5108e57bd19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10460 5244 bytes
font_01_sfnt_off00011644.bin
98da92429c50b220d694a7a34bc34a646f4e72a1bd56a80858c1ff4bc4906066		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11644 10476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.