Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4f97b38526519b7…

MALICIOUS

PDF

78.9 KB Created: 2021-03-16 11:19:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 27a556149c1be46410da3e908eb2c43e SHA-1: bb2ae144718171b86fd882fd12111c7da7c01eb0 SHA-256: c4f97b38526519b7094542343c13c0b2274f3521d000c62d2c5f348512c2d460
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or SEO abuse for malicious purposes. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were directly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware distribution attempt, likely initiated via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=gangstar+rio+city+of+saints+apk+uptodown
    • http://lnstagramsupportingcenter.com/delafosotupozutewesolf21t.pdf
    • https://cdn.sqhk.co/pofifarim/19jfYjc/apple_carplay_digital_media_player.pdf
    • http://mmmmmme.space/filolodm5ax.pdf
    • https://cdn.sqhk.co/dugixikisim/iiFhhih/elements_of_art_line_project.pdf
    • http://xiwesesakuvel.medianewsonline.com/14076673829.pdf
    • http://quickstore.pro/8844236689n0v1m.pdf
    • http://terugate.mypressonline.com/dedication_page_with_blanche_of_castile_function.pdf
    • http://muzesumulel.getenjoyment.net/39025954683.pdf
    • https://cdn.sqhk.co/kovixileta/hgifdih/battlefield_1942_artillery_guide.pdf
    • http://lulopoboxefon.scienceontheweb.net/pokaseduxafubarapawa.pdf
    • https://cdn.sqhk.co/vadavenaw/kP1jbgd/best_rechargeable_flashlight_with_magnetic_base.pdf
    • https://cdn.sqhk.co/zukasedu/iYBWgho/lexulotuwepufolol.pdf
    • https://murasujudadalox.weebly.com/uploads/1/3/5/3/135338307/5627344.pdf
    • http://cmbclientes.com/gijoxenadisdcc4.pdf
    • https://jamobosis.weebly.com/uploads/1/3/4/6/134684796/xepik.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6997ea0f-66a3-464d-9f0e-fd8ceaa04574/bella_crock_pot_instruction_manual.pdf
    • https://uploads.strikinglycdn.com/files/06c00c4f-c9ea-4690-92ad-91d84a1f2b45/48502989470.pdf
    • https://uploads.strikinglycdn.com/files/83c4ee67-41e4-49c0-b340-29b455defa6a/in_the_heart_of_the_sea_chapter_5_summary.pdf
    • https://uploads.strikinglycdn.com/files/50ea4699-ec32-423b-ae34-c4ac23c51c12/what_is_my_jungian_shadow.pdf
    • http://wesatume.atwebpages.com/financial_planning_budgeting_and_forecasting_financial_intelligence_collection.pdf
    • https://uploads.strikinglycdn.com/files/0bcec4e4-12e4-4ae0-a279-c76579cd3f68/nirazusesat.pdf
    • https://uploads.strikinglycdn.com/files/c9b188fa-0fa4-4973-9f5a-7bcdb0c92ba4/star_wars_in_chronological_order_including_shows.pdf
    • https://uploads.strikinglycdn.com/files/1aa61b45-efa0-4cad-8870-5d53cf8b5863/64532940534.pdf
    • https://uploads.strikinglycdn.com/files/8d91013a-ceb5-4ad9-b9f0-04b8c3ebe19b/nokakalutuvumazovesuf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebc6.bin
22137447d860b34dd1695a571725a7a186b797c81a3617df19d00e8b3460364a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBC6 5580 bytes
font_01_sfnt_off0000fef8.bin
59fc8108ceab71829ca7182d7a5d9fb9ffb479410e20d6b33cd3a308649b3b3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEF8 20940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.