Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1e01ca7e8d75119…

MALICIOUS

PDF

83.0 KB Created: 2021-03-25 16:18:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b94d204f84a67c2108b4a66e1ca01c4d SHA-1: b2bdd52089ede03c9b9f84687d292bbee96b47b3 SHA-256: d1e01ca7e8d751191102a6a4a8d0cf445a3ac168e1aae8f8a277381a69df0918
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, with 'https://jottigo.ru/wix?keyword=lawro%2527s+predictions+latest' being a primary example. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create SEO-optimized content or landing pages. The presence of embedded JavaScript, though not detailed here, further supports the potential for malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/wix?keyword=lawro%2527s+predictions+latest
    • https://static.s123-cdn-static.com/uploads/4489415/normal_5fe2243366c5a.pdf
    • https://gibonubud.weebly.com/uploads/1/3/4/8/134877094/lexisagugoj.pdf
    • https://vogexuweju.weebly.com/uploads/1/3/0/9/130969932/gulevikeb.pdf
    • https://vowipolijej.weebly.com/uploads/1/3/4/7/134713390/9bd67ae1c327f.pdf
    • https://cdn-cms.f-static.net/uploads/4365525/normal_5fd8e2c7e2882.pdf
    • https://zazuxari.weebly.com/uploads/1/3/4/3/134319397/joxovekutenuxo-buxoz.pdf
    • https://cdn-cms.f-static.net/uploads/4451033/normal_5fe92976f0fcb.pdf
    • https://cdn-cms.f-static.net/uploads/4472764/normal_601a02caafd85.pdf
    • https://static.s123-cdn-static.com/uploads/4387825/normal_5fe54ea8a2d56.pdf
    • https://cdn-cms.f-static.net/uploads/4387718/normal_6053be87cb7bc.pdf
    • https://static.s123-cdn-static.com/uploads/4498992/normal_5fdceafa961b6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gimufesajo/king_kutter_72_tiller_manual.pdf
    • https://s3.amazonaws.com/rawesaragegugar/tobopanogolotupi.pdf
    • https://s3.amazonaws.com/befafuni/78119060344.pdf
    • https://s3.amazonaws.com/dogevazapiwediw/kumano_kodo_self_guided.pdf
    • https://s3.amazonaws.com/jajoxulabojaso/komuto.pdf
    • https://s3.amazonaws.com/bubodeliza/modern_geometrical_optics.pdf
    • https://aa6d2f86-95e2-42cc-897e-6bbd71c3a116.filesusr.com/ugd/78daac_44ea1c2e2db340dfa3cd2896a2aa0a3a.pdf?index=true
    • https://e61e9f85-32c5-4861-9fd4-b89109084c35.filesusr.com/ugd/2e4eb4_d9ca4fb841d34b26adc8daa9724afc12.pdf?index=true
    • https://748e6e98-33e2-4bd1-95aa-01ea3505a154.filesusr.com/ugd/704f6c_a133f8fdce044d72b76830c53838e7cd.pdf?index=true
    • https://s3.amazonaws.com/xugigabitulu/91891481341.pdf
    • https://b81f28a7-a6cc-4df9-aebb-a76b708ee4b5.filesusr.com/ugd/df05b2_e1804f9c8fcc4bf999368ff94204370d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001063a.bin
ad8596e63b01e5140570aac7cb30babd38838c2c55c630c5781e98ba667fe580		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1063A 5132 bytes
font_01_sfnt_off000117da.bin
a8a37259bf67cc4e7b02b580ec60867fdb692c6efc7b79e269902ac1c4f4ab87		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117DA 11064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.