Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1ddc3fe19d8d367…

MALICIOUS

PDF

99.8 KB Created: 2021-04-02 19:01:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 50623d958ab2d302c7d551d5f7beef1b SHA-1: ae1d723ed56a33b96cc2fdb05eee285801b4f4f7 SHA-256: d1ddc3fe19d8d3670ee530e7adda0084fb3af9cfee4b3de72a3ce86bd5bf19d3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a large number of external links, suggesting it functions as a link farm to distribute malicious content or phish users. While no scripts were explicitly extracted, the PDF structure and numerous external URIs point towards an attack pattern involving redirection to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=transcription+practice+worksheet+answer+key
    • http://baxemoge.iblogger.org/tizusemibura.pdf
    • http://idealica-official-it.website/how_to_use_excel_tutorialrs0we.pdf
    • https://cdn-cms.f-static.net/uploads/4379736/normal_605b72a6a11a6.pdf
    • https://cdn-cms.f-static.net/uploads/4392462/normal_5fd78a85b9664.pdf
    • http://scriptbook.xyz/tumevisixuvazilisujenu1nwi1.pdf
    • http://hookup668.site/lg_fridge_service_centre_in_gurgaonlga7l.pdf
    • https://wadapunefivuda.weebly.com/uploads/1/3/4/3/134307948/zufilezaxogavof.pdf
    • https://fixewanum.weebly.com/uploads/1/3/5/3/135309042/a4ae27bfcae68.pdf
    • https://fenikazegalo.weebly.com/uploads/1/3/1/3/131379965/1246792.pdf
    • https://tumixivig.weebly.com/uploads/1/3/1/6/131636813/d4a04.pdf
    • http://mail-autoscout24.net/86716929686fbd8q.pdf
    • http://fovejawurolugaf.iblogger.org/rafanudovojema.pdf
    • https://cdn-cms.f-static.net/uploads/4424364/normal_6047a53175458.pdf
    • https://cdn-cms.f-static.net/uploads/4453885/normal_606635ddc4df1.pdf
    • http://goodik.fun/pagesurodixoxobaz4bq2.pdf
    • http://znatural.space/quete_principale_wakfusrd6k.pdf
    • http://mon-cmbretagne.com/82155771637kjq21.pdf
    • https://suzexumereda.weebly.com/uploads/1/3/6/0/136051641/7119059.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.orgThis
    • http://www.daltonmaag.com/
    • https://1fd079ea-3156-4ae8-a0b4-6153e0b529c5.filesusr.com/ugd/e66bf7_da704294795b4ccaa8a914675e2d66c6.pdf?index=true
    • https://9177b9cb-4c70-42bd-a9e0-27a1bf53b67b.filesusr.com/ugd/9baf76_778faab64a59416f9514e73975ee84e0.pdf?index=true
    • https://a765b249-d442-4b07-8ea9-8318d996b894.filesusr.com/ugd/902d29_505e270988a14634a8ee3980cf2cf5bb.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://scripts.sil.org/
    • http://scripts.sil.org/OFLAbyssinica
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f013.bin
4bb4bef61a382228b97b20a442f0ee9ed78448544756be03352eda16560119ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF013 3884 bytes
font_01_sfnt_off0000fdd5.bin
ec04e6b2abe1f02c4f1c1d412ec919ad5d9de63c7a23141088c3b25681207d7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDD5 4984 bytes
font_02_sfnt_off00010ec7.bin
b1934fdd5b0cef12df97c6d96b0f109aa018dfea310f2e258f3a99aacec19f39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EC7 20952 bytes
font_03_sfnt_off00012ee9.bin
7402dd4b4d0ab622496f15e06dc3e82ba31a61e1b7919e236704785b7f1c3235		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EE9 13320 bytes
font_04_sfnt_off00015b86.bin
250635f1cb9fad518facfcda49186dc183b76ced03196e861ea218962e0af60b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B86 16548 bytes
font_05_sfnt_off0001724c.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1724C 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.