Malicious PDF — malware analysis report

Static analysis result for SHA-256 d38ff2dd8d8b050e…

MALICIOUS

PDF

107.8 KB Created: 2021-03-22 04:51:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e57dd0f0d3f3d4a2fd87b1fe52247af5 SHA-1: d4fde94c54ffed8d0959478d6147939fd5769293 SHA-256: d38ff2dd8d8b050eaa172b177fb1c370b857c8d8ce2ed41e7c71712f43c55e38
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, many pointing to disposable hosting services, and is flagged by ML classifiers and ClamAV as malicious. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a deliberate attempt to create a link farm, likely for SEO manipulation or to host malicious content. The presence of external URIs and the overall structure suggest the document's primary purpose is to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=best+music++sites+uk
    • https://rapokivagifo.weebly.com/uploads/1/3/4/3/134338569/4747435.pdf
    • https://fojiwuduz.weebly.com/uploads/1/3/5/3/135309278/tegoterojuregopazi.pdf
    • https://kigokowolabewal.weebly.com/uploads/1/3/4/1/134132594/kilinigapidozid-sanenir-belugemurikona.pdf
    • http://lojapidabud.mypressonline.com/wabugujizigesebiti.pdf
    • https://cdn-cms.f-static.net/uploads/4475376/normal_600a06648ff33.pdf
    • http://simopuvoramawu.mywebcommunity.org/veladaralaw.pdf
    • http://dudipoviju.22web.org/ravoziji.pdf
    • https://cdn-cms.f-static.net/uploads/4421473/normal_5fd7cb469f105.pdf
    • http://deutschebank-meine.com/how_to_clean_out_whirlpool_dishwasher_drainrbks4.pdf
    • https://cdn-cms.f-static.net/uploads/4461216/normal_6023c6f66196f.pdf
    • http://centerbluebadge.com/81463679381l1bh9.pdf
    • https://nasabera.weebly.com/uploads/1/3/4/4/134447265/cff1d7dc1.pdf
    • https://static.s123-cdn-static.com/uploads/4476007/normal_5fe45d9301308.pdf
    • https://gubagomokugexat.weebly.com/uploads/1/3/3/9/133988684/sipolape_mukegupujuz_lupijapizowaga_dodozujuselowo.pdf
    • http://robot3.site/planeacion_estrategica_empresarialaw85h.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dosusixajamatef.rf.gd/swarm_trap_designs.pdf
    • https://uploads.strikinglycdn.com/files/19ad8f6b-91a8-46fd-a354-3d68bb5c4b08/plan_de_simulacro_de_evacuacion_en_empresas.pdf
    • http://paguxesij.myartsonline.com/online_book_site.pdf
    • https://uploads.strikinglycdn.com/files/6594bc9d-683e-4f98-b5eb-32464be064a5/xajimegumunerolajak.pdf
    • https://uploads.strikinglycdn.com/files/499c581f-7646-47a2-8de8-a2b0cef89993/best_junk_bonds_to_buy_now.pdf
    • https://uploads.strikinglycdn.com/files/709ddf09-cf0d-4564-bc65-da67056adad2/what_are_good_names_for_big_dogs.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014cc2.bin
18b052cc7ee1af0dc28d02b7ba609d7f268bc348feb7db5a5451a39709b7978a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14CC2 3044 bytes
font_01_sfnt_off00015796.bin
c87b776912426d1690975a14eec01c5ecb968eb86e997543463d5904c28d3edb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15796 4720 bytes
font_02_sfnt_off000167a1.bin
6b763146e7645ffd607758f8cb8a3ae3cd070c1474b2761d3801417536f87d71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x167A1 10828 bytes
font_03_sfnt_off00018c96.bin
84d5bd19c210eb3b73ecc14096ab1e56fdfb5b80ce7ba4f0052c67c0c2b02727		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18C96 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.