Malicious PDF — malware analysis report

Static analysis result for SHA-256 df2c41df0ab3ed4f…

MALICIOUS

PDF

69.9 KB Created: 2021-04-07 00:53:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e5a5120852f802a9a784a4c8062c718 SHA-1: 30ff63ffd9a7c3f99d3e8cf7bfbe2dc424ab9afc SHA-256: df2c41df0ab3ed4f3ab66c367c4f787c38a7991f34f705718420478d4cbb6fd9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for SEO link farms and phishing. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were extracted, the presence of embedded URLs and the heuristic findings point to a phishing attempt designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=beauty+and+the+beast+piano+pdf
    • https://cdn-cms.f-static.net/uploads/4386333/normal_602c3bc27a33d.pdf
    • http://zarabatyivat.ru/nomorekiponwh20v.pdf
    • http://fionainthefield.org/open_clip_art_library59vn4.pdf
    • http://upgrade4me.com/29213402985qon51.pdf
    • https://gusobenatidisa.weebly.com/uploads/1/3/4/4/134475091/kawavitosafu-nudumireli-tejelino.pdf
    • http://dompodklyuch.com/cyberghost_6_crack_free_apklx4s9.pdf
    • http://tertov.xyz/fallout_4_mods_nexushetz4.pdf
    • https://cdn-cms.f-static.net/uploads/4404292/normal_6022ee5cdbf40.pdf
    • http://copyright-services-us.com/dawiriwafidosoxataayx9q.pdf
    • https://bunonosuvon.weebly.com/uploads/1/3/5/9/135976801/xavebuge.pdf
    • http://megantv.site/machine_learning_books_online70htq.pdf
    • https://wubabenababi.weebly.com/uploads/1/3/4/4/134432193/7a90911.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b09a76d9-bb25-4221-b31d-87ad416b2573/is_it_illegal_to_buy_lock_picking_tools.pdf
    • https://61090d85-22e6-4724-b969-52a17785150c.filesusr.com/ugd/952c2e_160e0945da32439ab967c30bea2546c2.pdf?index=true
    • https://4a1fbaa0-0e67-401b-a466-96699e2e5642.filesusr.com/ugd/9647bf_f8861d9c87f04b46ba14a88d8efe8931.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dbd105c5-67bf-41e0-91e8-9bfbe6d3dbcc/98401224869.pdf
    • https://39ad70c8-6a03-4de2-a89b-b0209cba5754.filesusr.com/ugd/d2759c_6287c8a15c894a1da87d14488c2d8673.pdf?index=true
    • https://uploads.strikinglycdn.com/files/165471d2-0206-4fdb-8a71-6205dbc8eb64/siwojinuv.pdf
    • https://9c43cb74-45e3-47de-9527-fda2e8336169.filesusr.com/ugd/af0aa9_695ae3d220e44995a7c25418d352e6c8.pdf?index=true
    • https://18aefb47-0221-41c7-ace0-4f78eb33e730.filesusr.com/ugd/bca722_975eab872fb34940ae9d279acf6f9326.pdf?index=true
    • https://uploads.strikinglycdn.com/files/19895851-1cff-4e59-95f7-04720b24f79a/28262994307.pdf
    • https://uploads.strikinglycdn.com/files/043a7671-c62e-4e5c-b26d-b919d1d84f0b/nilegikefa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d30e.bin
207715908102da93dbcaecb48be8110d4ec16015b1acb1ecddbb550660cc39df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD30E 5292 bytes
font_01_sfnt_off0000e514.bin
d4aa7e46c0c99c0d04138c509e91c1f7d91b34a4a014ac0baf8a6dcbf216d702		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE514 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.