Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1db89334bf6deea…

MALICIOUS

PDF

79.0 KB Created: 2021-03-11 09:40:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 185f1c0bd363cc3b9cd8481451412d3d SHA-1: 13e49b36e3fdcf19bbf6ac88606eaa3c4c065098 SHA-256: d1db89334bf6deead4e1144d186dab195d3f221bdd32eb41e5e9782f14c6e510
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic firings reveal it contains a mass external PDF link farm, with numerous URLs pointing to external resources. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDFs from web content. The primary attack pattern appears to be directing users to a network of external sites, likely for phishing or to serve further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/123?utm_term=black+patent+platform+heel+sandals
    • https://vinipuzi.weebly.com/uploads/1/3/0/7/130776781/824ec8.pdf
    • https://cdn.sqhk.co/gitovera/zjfXhdA/smd_components_packages_list.pdf
    • https://cdn.sqhk.co/dugelabomaw/Lhay3gd/gonarofamuwuxumosumixoro.pdf
    • https://cdn.sqhk.co/lolajelor/1tW9VgY/the_triple_alliance_before_1914_included_which_countries.pdf
    • http://fb-pageunderreview.com/how_to_get_answers_for_any_homework_or_test_freezy9gs.pdf
    • https://cdn.sqhk.co/xexegapimuwi/ifjjGje/gastric_band_app_reviews.pdf
    • http://ita-yog.space/emergency_treatment_of_hypertension9ejq2.pdf
    • https://goxejebifebiv.weebly.com/uploads/1/3/2/6/132682819/9760934.pdf
    • https://static.s123-cdn-static.com/uploads/4482870/normal_5fca0b5280222.pdf
    • https://sebiwijojemobod.weebly.com/uploads/1/3/4/0/134097571/soxen_ridifukova.pdf
    • https://xupumoga.weebly.com/uploads/1/3/1/1/131164417/e083297f7e.pdf
    • http://m-ryanaf.site/how_to_properly_cite_a_book_in_apa_formatwo0kt.pdf
    • https://cdn-cms.f-static.net/uploads/4484154/normal_602288b6695a4.pdf
    • https://cdn.sqhk.co/waboperunut/eOibaha/truth_or_dare_game_questions_for_girlfriend.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cef8af8d-7071-4339-ac50-fc417d371010.filesusr.com/ugd/a89196_cd532d4c957a42a6b6041d9e4911e83a.pdf?index=true
    • https://254a6a59-343e-4b7e-907c-c4819e171fff.filesusr.com/ugd/decf6f_dec48aaf55b04499ba0fec49f3411c88.pdf?index=true
    • https://78fa80b2-8629-447b-ad63-53e91e8d4948.filesusr.com/ugd/8f02de_ae4c7b120bd54476bd9382317f5caee0.pdf?index=true
    • https://7afcd0b8-98df-42a4-afe0-9544d44c9539.filesusr.com/ugd/74e9cf_8edb47fb67db463d836dd2a7ba687000.pdf?index=true
    • https://s3.amazonaws.com/toliwudalamem/how_to_remove_battery_cover_on_snapper_riding_mower.pdf
    • https://11ab4cf5-156d-4417-99e9-5039b2a7eb5f.filesusr.com/ugd/82d61e_bfddcd726ab348eabe9660dfbda89a83.pdf?index=true
    • https://s3.amazonaws.com/gisujubolidine/30836147863.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4e1.bin
bd3ccb5cfb3490c0b379f5051f2651418b474250ab94f9aa81e2579070cd8796		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4E1 5508 bytes
font_01_sfnt_off00010777.bin
7c2e53e2391f4f5ea25a82906518e6cf9aa45ebcd669a6ddb7f1bde248a4823b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10777 11040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.