Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6f0d69799b564e5…

MALICIOUS

PDF

83.6 KB Created: 2021-03-30 11:19:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 635ecba3194bd73ac2130df4d467029b SHA-1: 765b169ce5605de8e5d6130c5b43b4a81ca90fa4 SHA-256: c6f0d69799b564e54b64b047a50f315ef9bdc176ec6114719f3837fa3312b902
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, suggesting it's part of a link farm designed to manipulate search engine results or redirect users to malicious sites. The primary malicious URL identified is https://maypoin.ru/award?keyword=ciclo+biologico+ascaris+lumbricoides+pdf.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=ciclo+biologico+ascaris+lumbricoides+pdf
    • https://cdn-cms.f-static.net/uploads/4366032/normal_5fdc8747ce917.pdf
    • https://cdn-cms.f-static.net/uploads/4455916/normal_601318cf08de8.pdf
    • https://cdn-cms.f-static.net/uploads/4376602/normal_5fe7661b16eb9.pdf
    • https://cdn-cms.f-static.net/uploads/4403128/normal_605be9beacf9c.pdf
    • http://forisawidokomor.sportsontheweb.net/jeevan_praman_patra_form_download.pdf
    • https://cdn-cms.f-static.net/uploads/4454673/normal_602ca057af3e3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://e714dd98-3e42-4604-aba1-6d4b2506b1a8.filesusr.com/ugd/742965_f0b60138da72455d941e1c33e361025a.pdf?index=true
    • https://s3.amazonaws.com/xakapudakadu/rogemenajumu.pdf
    • https://f733e552-90a1-4d1f-83ca-a6b36afcf31c.filesusr.com/ugd/38bf1f_df455f12095444c1a13e08baf36325cb.pdf?index=true
    • https://s3.amazonaws.com/pasawexawinogad/towapojume.pdf
    • https://s3.amazonaws.com/vixuwogetiv/maxutufidusupubanenizivad.pdf
    • https://uploads.strikinglycdn.com/files/6cad42ad-c270-406c-867a-7c0b325d0b8b/19796935996.pdf
    • http://suxudogakol.myartsonline.com/bsc_1st_year_syllabus_botany.pdf
    • https://s3.amazonaws.com/waxegatulo/hygiena_ensure.pdf
    • https://uploads.strikinglycdn.com/files/c4dcaf97-29ae-421d-9644-b8f28fdcf980/39165783532.pdf
    • https://uploads.strikinglycdn.com/files/bd6aea20-200b-43d6-821e-c3df803e7eb1/riluxazilavuz.pdf
    • https://s3.amazonaws.com/dojivewobasuval/wofititidexumedi.pdf
    • https://uploads.strikinglycdn.com/files/c3f55cbc-bd0c-4a77-bc37-dbccb2ffe381/12660312080.pdf
    • http://zilowovuv.atwebpages.com/59254002584.pdf
    • https://s3.amazonaws.com/muvarelo/canon_imageclass_mf4450_printer_price_in_india.pdf
    • https://8d537faf-e869-4ed9-a29f-988560fab1dc.filesusr.com/ugd/0cce51_23bbd6aa81714328aa48454380dfb61e.pdf?index=true
    • http://foxukekamusun.onlinewebshop.net/automobile_engineering_books_free_download.pdf
    • https://s3.amazonaws.com/zafibimutadoti/how_to_cite_words_from_a_poem_chicago.pdf
    • https://8bd0dbf5-62e0-4684-a95a-1d9666dfa34a.filesusr.com/ugd/e71694_60f4ab02c5d64e299a0b00d64ab62ae9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/07ad2a83-630a-41da-a2f4-0bee0c9ea1a7/wheel_of_time_cast_photos.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f943.bin
ed4160712060afd2f3611805233438458781804b0526877c125e0890a4d821bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF943 5336 bytes
font_01_sfnt_off00010b57.bin
cf910aa18a077a1541a94e7f6c0d12d4d4c6d9dc2900aedcaf40bd0ec505a1c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B57 11424 bytes
font_02_sfnt_off000131d8.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131D8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.