Malicious PDF — malware analysis report

Static analysis result for SHA-256 da94dd447000565b…

MALICIOUS

PDF

80.9 KB Created: 2021-03-24 02:31:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a76e3d2f3168ecce15eb679a88b9f35 SHA-1: 7b25b1f973198e7573ff965e0287041770d6aabd SHA-256: da94dd447000565b9cfd4dfdf60d2a74895c701c7e7448dd21d67030a902b861
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a mass of external links, many of which point to other PDFs, suggesting a link farm used for SEO manipulation or to distribute further malicious content. The presence of external URIs and the overall structure strongly suggest this file is part of a phishing or malware distribution campaign, likely initiated via spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=editing+pdf+text+free
    • https://kikafizujugu.weebly.com/uploads/1/3/4/0/134012642/9660017.pdf
    • https://cdn.sqhk.co/pufuxogife/jhhiiei/bounty_hunter_cowboy_theme_song_monster_jam.pdf
    • https://cdn.sqhk.co/budajawisore/ifrjg9f/juwegavupefifoposunaro.pdf
    • http://dezimazokuxulil.mygamesonline.org/45572749067.pdf
    • https://vozidetuvotivex.weebly.com/uploads/1/3/6/0/136094215/6405687.pdf
    • http://vbnmcxz.xyz/law_of_attraction_michael_losier0yo44.pdf
    • https://zazafiwizodizi.weebly.com/uploads/1/3/4/0/134041258/lajup.pdf
    • https://cdn.sqhk.co/bemapebe/hdichb9/vomero_15_review.pdf
    • http://fbdirect.site/hiv_guideline_2019_tanzaniak6f67.pdf
    • http://vijexibat.mywebcommunity.org/jadipamiweki.pdf
    • http://votixibutiro.medianewsonline.com/mr_sandman_tab.pdf
    • https://cdn.sqhk.co/desiketomasu/ibwhfmu/60029469699.pdf
    • http://pitushok.fun/data_analysis_tools_samplew9f22.pdf
    • https://cdn.sqhk.co/rasetiwulipu/hcIheic/gikaru.pdf
    • https://cdn.sqhk.co/letarezetap/CDWhbqq/bamogapewinifusofenarilog.pdf
    • https://cdn.sqhk.co/jiledexuda/gUhzSO6/61219546177.pdf
    • http://nekuwagibajese.getenjoyment.net/cdf_and_problems.pdf
    • http://mawosatejojeka.sportsontheweb.net/xijopumaxot.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9cf93ecd-64ee-4ad6-afcc-f350577a7522.filesusr.com/ugd/c4dbd3_9e7bfe4dd03a4a8e8a39f84689340623.pdf?index=true
    • https://3175e58c-9db9-4d87-bcb9-15e03531d93d.filesusr.com/ugd/c93210_39cd5811b61844b2a01f68481afc6972.pdf?index=true
    • https://32b33340-d9da-4ef7-b3bd-a0ac5134eb71.filesusr.com/ugd/adfa6f_13072af4478a495d9d173c7947f72216.pdf?index=true
    • https://09235f31-469a-4613-94fc-36d04c1f642a.filesusr.com/ugd/8b6407_f8767c8b4798401097aa801033ff41e0.pdf?index=true
    • https://c02a3fa2-970f-4384-b4fa-7a60184a1b73.filesusr.com/ugd/1da3fe_9ab589063bc74b2b80b58c7fbed15e34.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec66.bin
7c6b2374676380a78ae6f7e1a79930df236d9e9ac68916bc4957fb6f77bca6d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC66 4816 bytes
font_01_sfnt_off0000fce7.bin
5dfa774862164e2f648400de63b47d830e4590270641b60947614482f2485a1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCE7 10532 bytes
font_02_sfnt_off0001213c.bin
10572f3a10760712fbb8352e098d229fd21f48763f52fb6fd9385479015ceb58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1213C 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.