Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8859f75101d1fe8…

MALICIOUS

PDF

79.2 KB Created: 2021-03-24 03:24:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b7751c57caae5b95d48c5a81a2a88c18 SHA-1: 54b28e5af960d79148b90b70dc5ccef4a8dc700e SHA-256: c8859f75101d1fe89d83d2b9e72e050da53bb68616996977bd611763da2e4204
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which point to suspicious domains and are likely part of a link farm designed to attract search engine traffic. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded URLs suggest it's used to redirect users to malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=libro+de+verduras+y+hortalizas+pdf
    • http://demask.space/bajaj_finserv_app_apk_old_versionpwxig.pdf
    • https://wuxuburivoviw.weebly.com/uploads/1/3/4/6/134633524/bizepagejivilovikava.pdf
    • http://nosagebuki.22web.org/tilev.pdf
    • http://hookup158.fun/82527809403bcui7.pdf
    • https://xoxomupufolud.weebly.com/uploads/1/3/0/9/130969418/7344220.pdf
    • http://bilet-pdd.site/26856213432uc9rg.pdf
    • http://confirmyourverifiedbadge.com/what_does_the_area_under_a_speed_time_graph_represente92e8.pdf
    • https://static.s123-cdn-static.com/uploads/4421472/normal_6008f4ebe3121.pdf
    • https://cdn-cms.f-static.net/uploads/4447906/normal_604915ab1a95a.pdf
    • https://cdn-cms.f-static.net/uploads/4452385/normal_601ad1f4da040.pdf
    • http://mailedflkf.site/dekikigqds3j.pdf
    • https://gisubaxiza.weebly.com/uploads/1/3/4/3/134351543/xibirixezezis.pdf
    • https://xogalorezekulim.weebly.com/uploads/1/3/5/4/135400954/3838905.pdf
    • https://zedetebi.weebly.com/uploads/1/3/1/0/131070456/4322325.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7870b1d3-37ee-42da-bb1e-fbb1a22a9421/buzz_lightyear_remote_control_instruction_manual.pdf
    • https://uploads.strikinglycdn.com/files/b98350cf-7b57-4a9f-b2a6-094de974063f/suwewemosutekebekud.pdf
    • https://uploads.strikinglycdn.com/files/92013480-b74d-4c2a-8824-81711e2e8be7/reset_nanostation_m2_to_factory.pdf
    • https://uploads.strikinglycdn.com/files/67a1840b-c167-4659-ba4b-36a2c4b02972/85505998481.pdf
    • https://uploads.strikinglycdn.com/files/57343bc7-cb91-43f2-b7f5-05cacee0a6d1/how_much_is_a_catalytic_converter_for_a_2005_nissan_murano.pdf
    • http://josewovegufi.rf.gd/39563908336.pdf
    • https://uploads.strikinglycdn.com/files/001a82a7-5a2d-4a8a-a424-88f1b7bdad79/cyberpunk_2020_online.pdf
    • http://xomemajerezazaz.rf.gd/romeo_and_juliet_packet_answers_act_4.pdf
    • https://uploads.strikinglycdn.com/files/91744550-2b08-402a-a23d-e83527a94786/all_american_canner.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f283.bin
82386c8b2a5c1ab76b7e0fdcab9b2efedae119a1d2e664386bdc297fbbdbfcf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF283 5424 bytes
font_01_sfnt_off00010500.bin
4f21389d24ba3fc2e8c7f2f13998df418454ad39b304425d55f8f95cd57e5a96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10500 12776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.