Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3d428ed27028c8b…

MALICIOUS

PDF

80.1 KB Created: 2021-03-25 17:16:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 536508c98735f33bd3c7fdcc12d4d8a8 SHA-1: 7c17b45f1bd9efb90743b9fe124f98ae96fb7bb2 SHA-256: d3d428ed27028c8b510f9b918bf8e2f85cdd9becc9e9ac22d352cf0569b6dc9f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a critical heuristic identifying a 'PDF_SEO_LINK_FARM' indicating a large number of outbound links. One prominent link, 'https://midufefew.ru/award?keyword=bible+verses+on+thanksgiving+pdf', is directly associated with the document's apparent theme. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=bible+verses+on+thanksgiving+pdf
    • https://cdn.sqhk.co/vipujitebiki/dMClgfp/13260566207.pdf
    • https://tixanesel.weebly.com/uploads/1/3/4/2/134234664/tawixemarilumepa.pdf
    • https://lelamibi.weebly.com/uploads/1/3/0/7/130738841/98a717a5.pdf
    • https://cdn.sqhk.co/najuvotuwoz/ifidid6/12386515048.pdf
    • https://cdn.sqhk.co/totafeta/A1gHiaI/85529772613.pdf
    • https://cdn.sqhk.co/rapovixovuti/jwhhhgj/impostor_academy_match_merger.pdf
    • https://cdn.sqhk.co/dukizukijire/Kgelr2e/cute_wallpapers_for_ipad_air_2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2f3b2ca2-899a-42da-8a34-7752e9bb0239/stock_market_index_futures_live.pdf
    • https://uploads.strikinglycdn.com/files/a1507c9f-c4f3-46b9-91c3-0d5b4f9ed048/dupusu.pdf
    • https://uploads.strikinglycdn.com/files/afae412a-d8b8-4a12-8e8f-171fb91d9443/ganamrutha_bodhini_sangeetha_bala_padam_english.pdf
    • https://uploads.strikinglycdn.com/files/ab247f99-6f60-4089-985c-e44b7ecd0fa1/times_tables_worksheets_free.pdf
    • https://uploads.strikinglycdn.com/files/20986974-3413-4884-946b-9d7e410062de/what_chapter_did_aot_season_3_end.pdf
    • https://uploads.strikinglycdn.com/files/25f55ee1-0ac5-4e3d-93fb-221c885873af/83476391884.pdf
    • https://uploads.strikinglycdn.com/files/14ff363a-be13-4766-831e-dd3cab8d9b1b/nyne_bass_pro_battery_replacement.pdf
    • https://uploads.strikinglycdn.com/files/c6e50aa9-395e-4e38-ab2d-c85deb7add76/mowisidekokiroxag.pdf
    • https://uploads.strikinglycdn.com/files/70ffd7bf-7735-4abd-9817-6c8d93e64d8f/pokiwomofetuvamega.pdf
    • https://uploads.strikinglycdn.com/files/1db132b3-39d0-4ffe-ae6d-3a845daa6bb5/fl_studio_12_producer_edition_mac.pdf
    • https://uploads.strikinglycdn.com/files/0170619e-50a1-4242-ae28-5878cfba2271/toyota_lexus_techstream_key_programming_manuals.pdf
    • https://uploads.strikinglycdn.com/files/7df1aad5-176e-458b-a865-0686489bb946/fedekolin.pdf
    • https://uploads.strikinglycdn.com/files/f2876e84-535e-417b-b5ff-7a7774a2a407/vubodulugewojemigewozaw.pdf
    • https://uploads.strikinglycdn.com/files/c8050608-a2a2-41fb-be59-07bb1511e185/gobifukeni.pdf
    • https://uploads.strikinglycdn.com/files/d28635d2-151b-4641-9b6e-450aeb9261d0/88392650460.pdf
    • https://uploads.strikinglycdn.com/files/0f6d0df3-af54-4643-bcb7-e7a740036156/40646999884.pdf
    • https://uploads.strikinglycdn.com/files/56060256-3079-4de5-8605-fd3dc3d858f1/a_series_of_unfortunate_events_library_quotes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa8a.bin
6a9271f46b32c862393d58f21deeef435d0d3ea8c5e5ce18891fa531a78fd126		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA8A 5616 bytes
font_01_sfnt_off00010da5.bin
e862c21afb19e19f2d726011bdd454660bd97b24d8d70abb8f2b4cc9366facdd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DA5 10972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.