Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc45f9655052fe69…

MALICIOUS

PDF

76.0 KB Created: 2021-05-16 21:46:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2ea4b2823628c7af5f893f5ef6586693 SHA-1: 280a4d3d697ce00a0172dd8f52c1e09175e2bf89 SHA-256: cc45f9655052fe692c22f756f66e5ffaf92f6e5cadc6928092779d5585d34586
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ClamAV and an ML classifier. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or phishing attempt. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a URL that aligns with the 'PDF_SEO_LINK_FARM' heuristic, indicating a likely attempt to manipulate search engine results or redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=bombas+de+agua+sumergibles+tipo+bala
    • http://rodina38.ru/elric_of_melnibone_book_2ovqwy.pdf
    • http://kagaromorin.medianewsonline.com/manujovobefukatujinezem.pdf
    • http://blubadgehelp.net/directv_h24-700_specs35g08.pdf
    • http://complect-tech.ru/21466523194ki37p.pdf
    • http://nezowigivomi.scienceontheweb.net/water_pollution_ppt_presentation.pdf
    • https://cdn.sqhk.co/sawibevas/dGlhgiQ/4391320913.pdf
    • https://cdn.sqhk.co/xogatijixe/7jgFPQF/27220534059.pdf
    • http://site-shop.xyz/99092537287pdvt4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e1c07d4e-6587-4767-b76f-5dea9cf3e327.filesusr.com/ugd/51a829_7d978cd7b6214e8caec67b2d75c5dfef.pdf?index=true
    • https://e61e9f85-32c5-4861-9fd4-b89109084c35.filesusr.com/ugd/2e4eb4_e6fb3223b3824446b843af63bb8e522d.pdf?index=true
    • https://3d7c42e8-cad9-4196-8f3c-0f210fd97588.filesusr.com/ugd/1b7c00_d3e2a553f601407b9582d16893c8501a.pdf?index=true
    • https://s3.amazonaws.com/bogeguva/developing_android_apps_with_python.pdf
    • https://d5e9a058-cbdc-4968-ba72-30cdbf1e36a3.filesusr.com/ugd/9cfd0a_7888a9e8958648efbe6318fb8e14c0e1.pdf?index=true
    • https://d2497fa9-5496-4194-9764-f4b168485e88.filesusr.com/ugd/eed259_b631fce1d8134d908224b869e032f10c.pdf?index=true
    • https://s3.amazonaws.com/mexavofezoxi/the_selection_movie_netflix_release_date.pdf
    • http://xakagigoneliv.myartsonline.com/barbituricos_mecanismo_de_accion.pdf
    • https://00f02ae0-031c-4cf4-85c3-86bbc6d7deb2.filesusr.com/ugd/13f2e4_1205b6b06d4047288b03f501827a0e1c.pdf?index=true
    • https://ff4d9611-e7ea-45f2-85d3-f0b464ef817f.filesusr.com/ugd/48f461_361ad35405324d81814f8d0c538283fd.pdf?index=true
    • http://wudazebej.atwebpages.com/animal_kingdom_classification_download.pdf
    • https://s3.amazonaws.com/ronenitevodo/longman_dictionary_file.pdf
    • https://f499a9ea-5579-4d3c-a180-ba191067f9b7.filesusr.com/ugd/34ec99_8145e66727644828bebf5d9f9097f4b3.pdf?index=true
    • https://s3.amazonaws.com/somamere/c_programming_lab_manual_jntu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e453.bin
366b7d22771b7c59135122d0c1d06132792daea08e79241c46ba73c6a840eeeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE453 5468 bytes
font_01_sfnt_off0000f6c6.bin
f84c3579f7bb6360c9eb9d66e600b2657a7345b24846ea125dda416bd19b4536		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6C6 13064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.