Malicious PDF — malware analysis report

Static analysis result for SHA-256 dac811e5647730ea…

MALICIOUS

PDF

89.4 KB Created: 2021-03-21 23:27:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 048142b564cb4bbeb31db326616276af SHA-1: 50e1acafe30f932b84dad2e443552c0b1f1717cf SHA-256: dac811e5647730eabd4f2ea12b70a87f3f46a4041ff04ac3b0bc08828d378e63
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to domains commonly used in SEO spam and phishing campaigns. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, and the ClamAV detection confirms its malicious nature. While no scripts were explicitly extracted, the presence of numerous URLs suggests an attempt to redirect users to malicious websites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=mass-mole+conversion+worksheet+answers
    • https://cdn.sqhk.co/wirubetena/fyE1ibM/14161047414.pdf
    • https://cdn.sqhk.co/wedowetaso/cYjfjhq/99568311209.pdf
    • https://rulafowobunafo.weebly.com/uploads/1/3/5/3/135391395/rejotozoxepagup.pdf
    • https://cdn.sqhk.co/kapapomabu/igicgj9/gefezuzaguxapibebesodifop.pdf
    • https://vogaxuruxav.weebly.com/uploads/1/3/4/3/134352923/xuxov_vorivawuritepaf_biwumapitijolo_jalotolusujo.pdf
    • https://kofiserifopame.weebly.com/uploads/1/3/2/7/132741397/2774642.pdf
    • https://pozivikebesar.weebly.com/uploads/1/3/4/7/134759309/xamuxav_suwazopago_poraw.pdf
    • https://cdn.sqhk.co/pinofizulag/Q6gdPje/dehradun_defence_academy_registration.pdf
    • https://static.s123-cdn-static.com/uploads/4383304/normal_5fff5fd9c67bf.pdf
    • https://cdn-cms.f-static.net/uploads/4402289/normal_60225726827ba.pdf
    • https://vemegerefawobe.weebly.com/uploads/1/3/2/6/132682093/2173441.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ed97e346-2f82-4fd9-8fa1-355e00fc39ee/62101620309.pdf
    • https://uploads.strikinglycdn.com/files/776db1ea-c486-41ef-b68d-7c0ba4dd03f4/ralatovaj.pdf
    • https://uploads.strikinglycdn.com/files/6d3a8d1a-0c61-403e-81f5-d0395aaf7c31/rasejunimafopuk.pdf
    • https://uploads.strikinglycdn.com/files/603241b8-6987-492e-b396-68a8557ec500/agnus_dei_piano_sheet_music.pdf
    • https://s3.amazonaws.com/solonebosop/bose_sounddock_10_remote_app_android.pdf
    • https://uploads.strikinglycdn.com/files/f6c099fd-3ced-45af-8b75-7f037e4224c4/kegezotededupazuzuli.pdf
    • https://s3.amazonaws.com/lixisariwulo/83929346446.pdf
    • https://s3.amazonaws.com/fevobelijogal/holistic_tarot_study_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010839.bin
3c6862b99f513dd8ac4e99de30d70a659d3c37565a941961f5d646f553e02121		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10839 5292 bytes
font_01_sfnt_off00011a34.bin
f7604f852e7fcf9f88d79c867a949bb78955f090739d72f3d212609a7615562a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A34 11964 bytes
font_02_sfnt_off00014328.bin
173e74cb656ce8cf62e9dba6189377201a248cf59bd5f118deeb5932e9a17b3a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14328 16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.