Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2a9412b8cc3a30d…

MALICIOUS

PDF

76.3 KB Created: 2021-04-04 09:00:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3985bc33bf745faef8e5a0d8e6d7bcac SHA-1: b67fcf321605c127b00fcf12cc25da6e6ca7dff0 SHA-256: c2a9412b8cc3a30dda66f66be309412c554d8dc1cb6064c668c8de18090bbb59
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, many hosted on disposable domains, indicative of a link farm or SEO abuse. ClamAV and ML classifiers identified this as a phishing or malicious PDF. While no scripts were directly extracted, the PDF structure and numerous external URIs suggest an attempt to redirect users to malicious or deceptive content, potentially as a phishing lure or to manipulate search engine rankings.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/award?keyword=binary+decimal+hexadecimal+conversion+pdf
    • http://kiwenalod.medianewsonline.com/94656038352.pdf
    • http://golivexi.22web.org/fidepobukawe.pdf
    • http://tafugegajotu.mygamesonline.org/how_do_i_know_when_my_zagg_keyboard_is_fully_charged.pdf
    • http://xeberok.getenjoyment.net/pozodebipu.pdf
    • http://jamotovoxut.mywebcommunity.org/plantronics_reset_pairing.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://748f1d53-d141-46c1-926a-d14fc69713a3.filesusr.com/ugd/e3ed1f_57053cdfebc74d1eaf88480c96549d64.pdf?index=true
    • https://99516632-72ce-40f3-a9a1-a01c91361c65.filesusr.com/ugd/e42c35_26da7056daf84cb6b025a1db9df1dd2c.pdf?index=true
    • https://327bbe42-9aa5-4ca0-80e5-6c9857058a26.filesusr.com/ugd/2b870b_c2b1ff7201a84e5993466be5463bd911.pdf?index=true
    • http://runaredikulenin.epizy.com/strongs_concordance_truth.pdf
    • https://0ed7c29b-d5f2-4290-8b47-add6aa38300d.filesusr.com/ugd/32a223_f170782d49694f30bb23abd236d88586.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cf2809cb-4109-4cd0-9aee-b8e86e65ddda/evermore_alyson_noel_quotes.pdf
    • https://6b9ff03a-ef48-417a-a14c-919df0f903d0.filesusr.com/ugd/f459ea_5b74795ae433483cab2f0d3330976e70.pdf?index=true
    • https://45f61934-b4a1-4335-a9e3-e142d9465b5b.filesusr.com/ugd/0dd040_2a4cf25648a940feb63faf148f63ff80.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d0925cb2-24dc-459d-9830-7220e4e32b41/15670810795.pdf
    • https://uploads.strikinglycdn.com/files/895913e6-7f57-4061-8e11-6bf0797883d5/70800567803.pdf
    • https://6ec3981f-6443-463b-a164-91fc69f101d9.filesusr.com/ugd/7603ae_d8b0bcccb0044e8b8582c3575b6c43dd.pdf?index=true
    • http://mowobamalopun.epizy.com/retirement_resignation_letter_template_australia.pdf
    • https://21319658-e817-4d6a-846f-872ccfe0f0c2.filesusr.com/ugd/982af2_eda4c5f13ca84856a82b1092bfe9fe6d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/980183ce-34a4-4e65-a640-d8d3cb7adcc5/54114301687.pdf
    • https://uploads.strikinglycdn.com/files/1a9e612b-9213-4ffd-8027-c9f4c66b7181/walgreens_wrist_blood_pressure_monitor_directions.pdf
    • https://1bf92926-22d0-44a1-94fb-b51843c41cd5.filesusr.com/ugd/762c1a_45d915cef48a4e47801d89d418f7a98e.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e201.bin
434b0aebb2d30d6fda19539ca5eea1a5606a047cca8b3e07a4e3f00c4f015169		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE201 5384 bytes
font_01_sfnt_off0000f41e.bin
1be3e4a24cb7f256d27bb75c3f1264c298d285e202c059bcad9f833f9ff6ed5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF41E 10404 bytes
font_02_sfnt_off000117c5.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117C5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.