Malicious PDF — malware analysis report

Static analysis result for SHA-256 c34e2010d1d95f57…

MALICIOUS

PDF

83.6 KB Created: 2021-03-17 22:26:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7969d5ba59848d9fb19a6cb08fec5ccc SHA-1: d77167090fd9a1be1638b1f72638601760f98990 SHA-256: c34e2010d1d95f57feea2fc9f7452b03d9340425a76f5282354eb1f6f2193618
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. It contains a large number of external links, suggesting a link farm or phishing attempt. The presence of URLs like 'https://lozipotod.ru/wix?keyword=granblue+fantasy+apk+english+patch' and 'http://gasolotiravizid.sportsontheweb.net/unlimited_power_tony_robbins_download.pdf' further supports this, as they point to potentially malicious or SEO-abusive domains. Although no scripts were explicitly extracted, the PDF structure and link farm behavior are indicative of a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=granblue+fantasy+apk+english+patch
    • http://gasolotiravizid.sportsontheweb.net/unlimited_power_tony_robbins_download.pdf
    • http://sigisuzuk.getenjoyment.net/dixurobipodikovimizemotiv.pdf
    • http://duwudivusupo.mygamesonline.org/how_to_fix_slow_download_speed_ps4.pdf
    • http://wudaxozibutix.sportsontheweb.net/vicks_cool_mist_humidifier_filter.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f3d175f3-6b0c-45dc-8d75-a375d9ba2360/moto_360_2nd_gen_watch_band.pdf
    • https://uploads.strikinglycdn.com/files/4c74f2d8-43de-42fa-aaf9-7e24b20e7e84/what_is_the_best_free_drawing_program.pdf
    • https://uploads.strikinglycdn.com/files/25781637-10aa-4d4b-9a3d-e56933673f24/lg_washing_machine_replacement_washer_drain_pump_motor_4681ea2001d.pdf
    • https://uploads.strikinglycdn.com/files/e3a43ed4-9aaf-41c1-902e-6b4a3e925552/xexavufomufobisibabagereb.pdf
    • https://uploads.strikinglycdn.com/files/399217fc-943b-4938-8374-caafa968f807/how_to_operate_hamilton_beach_brewstation.pdf
    • https://d71fc03c-aea6-48f7-a990-8afffb22108d.filesusr.com/ugd/3de8a6_042f3b2e1bf24bffb25f3de5dce0d228.pdf?index=true
    • http://mapureju.epizy.com/airplane_flying_games_free_pc.pdf
    • https://7e079b21-6cfc-4bbc-a8af-001f4930a7f2.filesusr.com/ugd/f66805_536af5c5146b4c50984926c9ed820631.pdf?index=true
    • https://5c51e3d7-2896-491e-a255-1b002e356b93.filesusr.com/ugd/5b6ce5_8c1440217403477c8d9f6242a3a18cbb.pdf?index=true
    • http://doxefozogad.epizy.com/barthel_index_of_activities_of_daily_living.pdf
    • http://zogadawedalifap.onlinewebshop.net/39943032703.pdf
    • https://uploads.strikinglycdn.com/files/88d3116f-bba6-471c-917a-877dffd5e182/priscilla_shirer_armor_of_god_week_1_answers.pdf
    • https://uploads.strikinglycdn.com/files/939345eb-829f-4737-904e-7ac476b58736/huskee_tiller_carburetor_adjustment.pdf
    • https://s3.amazonaws.com/fulosobezur/bloons_td_4_full_apk.pdf
    • https://ac263381-fdad-4fda-ae78-6df6d71032d6.filesusr.com/ugd/25c42e_e42b61e38aa04e87a9658a33142c7104.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a227b321-66da-4690-a4f3-d7ca802c62df/introduction_to_java_programming_daniel_liang_solutions.pdf
    • https://s3.amazonaws.com/makixibawumebol/black_tie_formalwear_schaumburg.pdf
    • https://uploads.strikinglycdn.com/files/8263a50f-124b-47dd-ba77-e935dc024b1b/10_day_green_smoothie_cleanse_dinner_recipes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7b2.bin
fdfcc52418fdf233d87e0ba1c3361ac69f3ace2afb861be475c88bdabc9fdd17		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7B2 4572 bytes
font_01_sfnt_off0001079b.bin
698c742a4a0acac0aee0a743dea88affff46762b88da3b8e5e90d8c4743bdd7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1079B 5616 bytes
font_02_sfnt_off00011abd.bin
d9b9cde1b8cf70a3ad5ddb436cb23a65a72e9f14cca0d35bd7ccec62ec9448df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11ABD 11180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.