Malicious PDF — malware analysis report

Static analysis result for SHA-256 c47b6d8591bfb28a…

MALICIOUS

PDF

68.5 KB Created: 2021-05-29 00:20:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ef1ab8ca18772d32cd23e24e9497f091 SHA-1: b31d30b392f45743a8dc35b8ae37e1acd18c7dd0 SHA-256: c47b6d8591bfb28aec8667cb5612f11d014c1ef024645814e0a87cdcb3c2cc36
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, many pointing to Weebly-hosted PDF files, suggesting a link farm or SEO manipulation tactic. While no scripts were explicitly extracted, the PDF structure and the presence of external links are indicative of a phishing or malware distribution attempt, likely initiated via a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/wb?keyword=what%20does%20it%20mean%20when%20your%20ac%20light%20flashes
    • https://zovuzutozureje.weebly.com/uploads/1/3/0/7/130739602/af2774.pdf
    • https://lufegema.weebly.com/uploads/1/3/4/1/134132410/muwamokew.pdf
    • https://sidusumidiwef.weebly.com/uploads/1/3/4/3/134366372/981564.pdf
    • https://pasiwuguvode.weebly.com/uploads/1/3/4/6/134601834/d10503f6a32bc.pdf
    • https://vozopameniv.weebly.com/uploads/1/3/4/5/134593493/duliji_kokuva_jitopilavonizab.pdf
    • https://tefuxaforubexo.weebly.com/uploads/1/3/4/4/134446539/4175868.pdf
    • https://xegiduburap.weebly.com/uploads/1/3/5/2/135294675/4059324.pdf
    • https://mebirofaz.weebly.com/uploads/1/3/5/3/135384836/3e97cb7d3a.pdf
    • https://bilewemebit.weebly.com/uploads/1/3/5/9/135964156/ropefozazetibuko.pdf
    • https://vifunufuwo.weebly.com/uploads/1/3/4/5/134596702/wiwabosefuxanefivu.pdf
    • https://ladupizisegi.weebly.com/uploads/1/3/1/3/131380895/kireki.pdf
    • https://lefagetali.weebly.com/uploads/1/3/2/3/132302894/1862130.pdf
    • https://jotozorofelafik.weebly.com/uploads/1/3/1/4/131405965/sozajurepupag.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ee170260-31b2-4a99-8899-493084723116/gadamer_truth_and_method_2004.pdf
    • https://uploads.strikinglycdn.com/files/7d5ccdad-212f-4085-8c43-8448195cde6b/how_to_install_motion_sensor_light_bulb.pdf
    • https://uploads.strikinglycdn.com/files/925657b6-ce1d-4c3e-8fc7-1f27dba96593/zimuxin.pdf
    • https://uploads.strikinglycdn.com/files/a9fc8475-de30-4597-985b-51eac5718b19/64128564088.pdf
    • https://uploads.strikinglycdn.com/files/f951cc6c-ef0f-4282-aa1e-4faa14c07c59/neighbourhood_of_a_point_examples.pdf
    • https://uploads.strikinglycdn.com/files/ede50f66-4479-4212-9e68-6b20a22f168d/67122136927.pdf
    • https://uploads.strikinglycdn.com/files/7df98d2d-3022-4452-90fb-5dae1c9c6ef6/how_much_does_a_health_and_safety_course_cost.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc57.bin
9442b42e24f85f2b9fbfaa818af9c5eed39869d3d6c3761182b31f82e4c996c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC57 5644 bytes
font_01_sfnt_off0000df7f.bin
1d5883839ea86a62d6c067c42cde48c8690fff81ecf0194c7b3e76693c7c5a28		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF7F 10408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.