Malicious PDF — malware analysis report

Static analysis result for SHA-256 da4a2b9401223a87…

MALICIOUS

PDF

82.7 KB Created: 2021-03-18 16:05:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01a898b68b3394ec4168118b3688d2bb SHA-1: 95121f24854b4112fdaf53b229a5eab017efaf16 SHA-256: da4a2b9401223a871d1b5d28d13f250b4661cedf8ea94bc246eb3cee901b6bbf
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of external links, many of which point to PDF files hosted on various platforms, suggesting a link farm or redirection mechanism. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and numerous external links are indicative of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=r+programming+certification+udemy
    • https://cdn-cms.f-static.net/uploads/4443802/normal_600c357c7e77a.pdf
    • https://xilarurizajefa.weebly.com/uploads/1/3/5/3/135347329/8a94d2692.pdf
    • https://cdn-cms.f-static.net/uploads/4488102/normal_5fd976bbab01f.pdf
    • https://static.s123-cdn-static.com/uploads/4382638/normal_600655ce83042.pdf
    • https://sawuwirepugasup.weebly.com/uploads/1/3/0/9/130969548/64b376.pdf
    • https://fefaterivigem.weebly.com/uploads/1/3/4/3/134375274/2185449.pdf
    • https://cdn-cms.f-static.net/uploads/4445889/normal_604d0432b5915.pdf
    • https://pirovosarelivo.weebly.com/uploads/1/3/1/4/131406751/gapidugige-zinaledanitu-dowurowajijux-kexem.pdf
    • https://static.s123-cdn-static.com/uploads/4450430/normal_6008eebe71dcb.pdf
    • https://fexedewikefitug.weebly.com/uploads/1/3/2/6/132681233/5e40737da158c1.pdf
    • https://cdn-cms.f-static.net/uploads/4379736/normal_5fd18a98f0e47.pdf
    • https://zitasiga.weebly.com/uploads/1/3/6/0/136088478/tagijisuvakiv.pdf
    • https://fobaripiso.weebly.com/uploads/1/3/4/4/134443650/8998313.pdf
    • https://static.s123-cdn-static.com/uploads/4465387/normal_5fcfb0097ef8e.pdf
    • https://mefufexuwi.weebly.com/uploads/1/3/4/0/134019004/rajepigaritatolanevo.pdf
    • https://fisulujat.weebly.com/uploads/1/3/1/4/131454297/xazinuk-voferamapixol-xujupewapoto-zijag.pdf
    • https://lonitavow.weebly.com/uploads/1/3/4/3/134355974/bbb742e3caae.pdf
    • https://jodatonibidoxej.weebly.com/uploads/1/3/5/2/135297120/zalenibuvexerinu.pdf
    • https://sivabujik.weebly.com/uploads/1/3/4/0/134017760/dowadimudibaloj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ed3cc1a1-dbc4-4ef4-93ca-a3b67dae3470/tuvapijararodimavujovi.pdf
    • https://uploads.strikinglycdn.com/files/636511bb-ee49-47bf-94b2-3a7082a2f972/ganelatam.pdf
    • https://uploads.strikinglycdn.com/files/7ad71a2e-2cbd-41bb-b73e-d911bb6992f2/can_you_cook_frozen_chicken_wings_in_a_pressure_cooker.pdf
    • https://uploads.strikinglycdn.com/files/025a8db2-8ddf-4c17-85e6-c72c3fa3608e/rhetorical_analysis_essay_grading_rubric.pdf
    • https://uploads.strikinglycdn.com/files/ccc221b2-a45c-403e-91f3-1052c3ca9af4/7613219129.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000105cb.bin
3b9822b6f2911a00ddf811219e2319dd2ebc3a540c0f7024779918516b7b7d78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105CB 5372 bytes
font_01_sfnt_off00011811.bin
b700a016b41fd2e668c381412569181eb734b33d90eab0dd2a3ff9f3297358a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11811 11144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.