Malicious PDF — malware analysis report

Static analysis result for SHA-256 dabc350ea3936c01…

MALICIOUS

PDF

72.7 KB Created: 2021-03-30 03:07:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 05971cb70f959405fdaa5f3e59c578f4 SHA-1: 36311df51c6fe1e49a1dbf8e4d3b5f263e5fea5e SHA-256: dabc350ea3936c018a296b33bd1baaf627c582d2f5562ee2abf23c9bce2c84ca
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are SEO-optimized, suggesting a link farm designed to attract traffic. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and numerous external links point towards a malicious workflow, potentially involving the download of further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=objective+computer+awareness+book+pdf
    • https://cdn-cms.f-static.net/uploads/4366306/normal_603f98fc92da1.pdf
    • http://characduwe.space/kenagabulewusorululub1cb83.pdf
    • http://astropsychology.website/callaway_gardens_golf_pro_shopkn88r.pdf
    • https://cdn-cms.f-static.net/uploads/4484363/normal_6046746d3eb84.pdf
    • https://cdn-cms.f-static.net/uploads/4452381/normal_604f4098dbd45.pdf
    • https://cdn-cms.f-static.net/uploads/4476443/normal_603e9fdc8ac46.pdf
    • http://helpcenterbusiness.xyz/organic_chemistry_exercises_and_solutions8iy5x.pdf
    • https://cdn-cms.f-static.net/uploads/4384817/normal_6038e1e93cf42.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://288dffde-0386-48bd-adba-b069b5f3b70f.filesusr.com/ugd/7e1b39_06d156625809481b81dd950c37fec460.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9beb9133-e7bf-478f-94fd-37c57e0a8782/99899697479.pdf
    • https://uploads.strikinglycdn.com/files/26b63eb6-4575-46d6-bcc2-112ec73cd38b/11336510307.pdf
    • https://uploads.strikinglycdn.com/files/e150611f-56c9-41c2-82a2-1bc35a2d71cf/digital_design_marine_speakers.pdf
    • https://uploads.strikinglycdn.com/files/678c6da8-c3d7-4378-a62b-d906e14308a9/rivolo.pdf
    • https://c1d61d78-9bae-425c-b347-ee91470fe4f1.filesusr.com/ugd/60933b_8918ff6033314bc8ba847fb001981261.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cd7adf7c-1c72-429c-af19-dfb2d2205a4f/ubu_le_roi.pdf
    • https://uploads.strikinglycdn.com/files/fb2e7084-6ae5-4c74-8b19-ff347f6eec40/why_does_my_jigsaw_blade_keeps_falling_out.pdf
    • https://7f1d4f38-7308-4051-b389-b8ed31312188.filesusr.com/ugd/e948c1_8022523ec693428199ab180f85e78dee.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4dc682e2-0f47-4d6e-a83e-3710a9d97d23/9813493008.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd10.bin
fe761ebf77f794e884d87e4e544ef279a3fca11251e1cd696e3a50bec41c5021		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD10 5728 bytes
font_01_sfnt_off0000f08a.bin
1f3cdc48198127463ac49e357332bcd9cddf6e3f5894dda9b2274f98813f7f8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF08A 10900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.