Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd926fb9a2d54696…

MALICIOUS

PDF

81.6 KB Created: 2021-03-18 19:36:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6edeb80e19a99b3ae84e12a2d302833e SHA-1: 7415150929465b157749b9fbad4a433bb2e29669 SHA-256: cd926fb9a2d546969a76760db2b0e662cc40bd2c7eaee638f10656d300a5bde2
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a large number of external links, many pointing to disposable hosting, suggesting a link farm or phishing operation. The document body is heavily obfuscated and appears to be malformed, but the presence of external URIs and the overall structure strongly suggest a malicious document designed to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/123?utm_term=anno+1800+mods
    • https://nudiwosesi.weebly.com/uploads/1/3/4/3/134317077/5463122.pdf
    • https://sinezotuze.weebly.com/uploads/1/3/0/9/130969777/ranij-fadopiri-sokigijexonek-xebipizisil.pdf
    • http://zabibut.iblogger.org/cross_section_volume_calculus_formulas.pdf
    • https://cdn.sqhk.co/vipatajase/RTgfjfc/4k_gaming_wallpaper_for_pc_zip.pdf
    • https://ferizovewop.weebly.com/uploads/1/3/4/8/134887996/xenagobe.pdf
    • https://zaxonuwikujad.weebly.com/uploads/1/3/0/8/130874627/e9e6032ce4.pdf
    • https://tuvuneboginat.weebly.com/uploads/1/3/1/6/131606819/wamiwi.pdf
    • https://cdn.sqhk.co/kupemopo/3ifVlja/nba_2k20_switch_eshop_price.pdf
    • https://cdn.sqhk.co/fepexeguma/dicWjiB/67242729726.pdf
    • http://fiteduwad.22web.org/zejobonosuvab.pdf
    • http://namunemalem.22web.org/44724793945.pdf
    • http://fobezevuwoki.iblogger.org/arithmetic_and_geometric_sequences_and_series_formulas.pdf
    • https://cdn.sqhk.co/zujijivopuju/jgtsjN3/when_will_season_2_of_warrior_nun_start.pdf
    • https://tutetalugono.weebly.com/uploads/1/3/1/8/131857120/ad429e7e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://21a67f6d-2aea-439f-a910-ed4feb6be009.filesusr.com/ugd/173616_1b51e2f02a044820867a844ec5ad4e88.pdf?index=true
    • https://99470c7d-c692-4648-a7b8-36ea19db2883.filesusr.com/ugd/ab059d_0ad2380966d4490bbe6db822735a5e91.pdf?index=true
    • https://21e323bd-7fdd-46e9-a6c7-4880e76d7610.filesusr.com/ugd/0a51c1_a0b8a57cfaad4ffebfba248937151ce9.pdf?index=true
    • https://eadb47d6-6712-4ecd-aa5a-2cdcf2d90b86.filesusr.com/ugd/c844bf_24aadb3e9c8945a099a69d81e67b4235.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5f5e0e24-96c7-47dd-91c3-05dcc974af21/the_witcher_books_hardcover.pdf
    • http://bogepep.rf.gd/general_information_sheet_requirements.pdf
    • https://uploads.strikinglycdn.com/files/f6a70eeb-91f1-482b-812c-f1676da16492/wow_classic_system_requirements_laptop.pdf
    • https://uploads.strikinglycdn.com/files/7e69af37-2f05-4754-bee7-e81d9e0cb3fa/dracula_di_bram_stoker_quotes.pdf
    • https://80820154-e864-4b0c-832b-212b24169927.filesusr.com/ugd/c12414_3917886ad11f4156b718dd072d9a6c9e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2853bdba-6e89-4687-83ef-691c02d86e6c/lumefedofetifimunub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010118.bin
974182da3738b27a8bf96cd093abd2e8739c7a8f43147896b5f459faa2881480		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10118 5012 bytes
font_01_sfnt_off0001121e.bin
b10acebe91b8e35b043ee5944f377e3c0fc548adb0467433354514c17136a39e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1121E 11364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.