Malicious PDF — malware analysis report

Static analysis result for SHA-256 d65ec605e1b80a6e…

MALICIOUS

PDF

99.3 KB Created: 2021-03-29 20:08:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02
MD5: 317ca0df6a3531737d1a865e85ce4d8c SHA-1: 108ea247216f7ed8ad432e12c5bdbc2d60f983b7 SHA-256: d65ec605e1b80a6ea86d66d9081c4d398b4ad066ec9aed15e630df6eff93079f
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, many of which are hosted on disposable domains, indicating a link farm designed to direct users to potentially malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or scam operations. Although no scripts were explicitly extracted, the PDF structure and embedded URLs point towards an attempt to lure users to external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=skam+france+episodes PDF link annotation
    • http://vomimaforotagi.mywebcommunity.org/87168712836.pdfIn PDF document text
    • http://vizenam.medianewsonline.com/dewedokiso.pdfIn PDF document text
    • http://lozolupamo.mypressonline.com/dipemegame.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e51f8e04-a454-437a-b583-94f49e5b5300/72109991785.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b75881e3-ceb0-42ff-9a46-4b71687569cf/1022024444.pdfIn PDF document text
    • https://44bb6ee8-a0fe-4f72-890f-0f0a2fec05cf.filesusr.com/ugd/b65acf_2e6b0f46269a4ca091b538e014b6b345.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0675dbc0-c7a0-4fcf-97dc-870d3499ddeb/3138982201.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/36e3f515-431f-4abc-802d-ecb76d31beff/55180999659.pdfIn PDF document text
    • https://e4586023-485a-43f1-9451-2d404684c5b7.filesusr.com/ugd/95ff22_78b952542ff94af79fca8c6b4b588d1f.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/57cc4064-6f0a-44ec-a836-c18b31953953/how_to_move_mt_fuji_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d88d659e-082e-4e0e-9bff-af6e65dab46f/dawubanajonewomavemo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fdad9032-296b-49e7-b0fd-93a5b2b94a27/robin_hood_disney_movie_online.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50b1ea32-65db-436d-95a9-e45602ac76d0/eyelash_extension_training_southern_california.pdfIn PDF document text
    • https://23da7c74-6e14-424a-b22a-901aa35eafb1.filesusr.com/ugd/9cc572_075117eed0a044228956813848c4cd2c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b0ae9933-065b-4ed7-86a3-9097f8e74237/tomb_of_the_triclinium_tomb_of_the_leopards.pdfIn PDF document text
    • https://b2f02272-107b-4032-aafc-54cdd6265a16.filesusr.com/ugd/6cf392_a84f096140c1477fbde5cef5ac84f1f8.pdf?index=trueIn PDF document text
    • https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_7288b881b560495fb257b10743cad168.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2a2b69b-800c-425d-9e76-6b44bea1590e/28405284762.pdfIn PDF document text
    • https://eae964be-cf9f-49a8-9b2f-00020d526acb.filesusr.com/ugd/e932cf_3c7a5fa64f7d4f639bcaaa09a2934708.pdf?index=trueIn PDF document text
    • https://ff19a39e-637c-4fc6-80cc-750024e8dd37.filesusr.com/ugd/d217e2_8f32d5007a494002a17aba1a64974cd4.pdf?index=trueIn PDF document text
    • https://52468903-0e2d-47c5-babb-61e1d305d291.filesusr.com/ugd/32777b_cc0a0359926041d08a151971312eab03.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/1d3cc0f2-bb23-4a5c-8395-6600c95eb053/7363155239.pdfIn PDF document text
    • https://92e0cadd-ca3c-497d-ba7d-1aece6ee6da0.filesusr.com/ugd/008e52_4c65e3524ba54da2a79d4b77fb03e56f.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/4afe667d-a385-4604-8812-aaae04d2723f/gatipoguxafiruparuki.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101D9 6588 bytes
SHA-256: fa72874b8c381873b432d3b5cea9ecddba20f04e8e1c9face7d560df1136061a
font_01_sfnt_off00011222.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11222 2988 bytes
SHA-256: 546acd1a5a47648eedd65b65f2bc63d7c13a5797fedbece43ef8ae6b2ec800f9
font_02_sfnt_off00011cd4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11CD4 5436 bytes
SHA-256: 10e2d19f0f3bdb5320889754435a8c5311e4461eb7d073485aae62c3950b492f
font_03_sfnt_off00012f3c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12F3C 2456 bytes
SHA-256: 4af092271a53961015b328132fb2c1bff63cf7aafbf55b94edf9baad89b25fa1
font_04_sfnt_off00013a35.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13A35 12420 bytes
SHA-256: b91417f43f632b1bcb1d507f5d3ae28249074a828035b24e3138e0b75304ad03
font_05_sfnt_off000162d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x162D4 17556 bytes
SHA-256: f00a7f018c30fdb3db815d54d0be2a99e037280f55a97788447853ae950f92e9

Open this report in the interactive analyzer, or submit your own file for analysis.