Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd20186a301a0eba…

MALICIOUS

PDF

94.2 KB Created: 2021-03-31 16:42:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d197dddcd578db6d2f959e1075a6cf4d SHA-1: 8dcb76e013007a79610e4dce74e284ec91609196 SHA-256: cd20186a301a0eba3e5725481d20a5420a6afe052ccb20c484ab8a3fc74a7bd7
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting it's part of a link farm. One of the primary external links points to a suspicious domain, and ClamAV detection indicates it's a phishing trojan. The ML classifier also strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the nature of PDF link farms often involves embedding JavaScript to facilitate redirection or exploit vulnerabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=powerpoint+slide+templates+roadmap
    • https://dotuxebi.weebly.com/uploads/1/3/1/4/131454754/nafepawulolilad-dumesawisapaxov-vuvojo-zodeluk.pdf
    • https://static.s123-cdn-static.com/uploads/4369182/normal_5ffa97ae198c5.pdf
    • https://cdn-cms.f-static.net/uploads/4455196/normal_60209483d03f9.pdf
    • https://jolibudowuw.weebly.com/uploads/1/3/4/5/134596284/kajatobetegativabuf.pdf
    • https://wajegeteb.weebly.com/uploads/1/3/4/8/134896445/4399057.pdf
    • https://dovasivenumi.weebly.com/uploads/1/3/5/9/135965427/kiwutiwavitago.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8cff94d3-ecab-4ea5-ad27-d3e67d02fd32.filesusr.com/ugd/2813e2_5e560f72b9584af9b2f6b12f2956ab2b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/63f4e54e-8f59-4d0b-90d9-1f8a1beb4df6/comcast_xfinity_home_security.pdf
    • https://uploads.strikinglycdn.com/files/76beda4e-37f4-4acc-946e-98425453c9f5/lofuze.pdf
    • https://uploads.strikinglycdn.com/files/56e5a067-17ca-4d9e-a441-e7f9caf8b8d0/que_tipo_de_interfaces_hay_para_un_sistema_operativo.pdf
    • https://s3.amazonaws.com/fuvidokibet/94667586811.pdf
    • https://s3.amazonaws.com/dupula/robin_hood_movie_2018_watch_online_free.pdf
    • https://d8acad56-eb9a-42d1-a06c-a695c5b02328.filesusr.com/ugd/0ad6c7_adae5be261c04b138313d37c1303fcbe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/11f7fff5-72ef-4379-8b89-a4d099f8c12b/25663639235.pdf
    • https://uploads.strikinglycdn.com/files/96b6b9c6-8df6-4a5a-9172-1e93332da118/10450713511.pdf
    • https://uploads.strikinglycdn.com/files/0ddc7fc4-cc3c-4613-a5c7-21726aed3409/eureka_math_grade_7_module_4_answer_key_lesson_11.pdf
    • https://77a80da1-97a3-4b40-ba11-54c6d232eb66.filesusr.com/ugd/39a0fd_3f6f09fb5bf840ec98c30494bb20580b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/574b1bc4-4775-4334-b17f-e17d8d0b8a0c/ginug.pdf
    • https://s3.amazonaws.com/sumesawoxajew/49839857389.pdf
    • https://bf130ee1-1463-4c69-9604-1b23772ced92.filesusr.com/ugd/b4609a_fae5e6093dfa49348eace848712fb6bf.pdf?index=true
    • https://s3.amazonaws.com/jifedefujodu/era_paleozoica.pdf
    • https://b416d2a3-330e-4518-8f5e-c931256b4cd1.filesusr.com/ugd/5168b2_a4a8750ed9704423bd168c05748527ec.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5c72e4c7-6d85-4f01-aaab-c37c62d5ff82/samsung_m2880fw_toner_cartridge.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000133ea.bin
6e20f0b6eeb190383a4971c84609643ad9915cb0e6dd85326bc25bf6411ce460		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133EA 5200 bytes
font_01_sfnt_off0001458d.bin
2212cb69392fc6d87ce899de34aee831f761b369bde1578d71d65c61fa0025a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1458D 11076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.