Malicious PDF — malware analysis report

Static analysis result for SHA-256 e07bdeb9a1417714…

MALICIOUS

PDF

116.3 KB Created: 2021-03-24 05:10:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c9253947fcc3af4404dca7d70b4fa319 SHA-1: 7106828a3f8ed922f8fab0cded482b92dcb89dce SHA-256: e07bdeb9a1417714cfb45701faa8dbb514ae6a26793c12db30de9ae6b0e004b6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a link farm or SEO manipulation, with a large number of external links pointing to other PDF documents. The presence of a critical heuristic for PDF link farming and ClamAV detection as Pdf.Phishing.Trojan indicates malicious intent. While no scripts were explicitly extracted, the PDF structure and numerous external links suggest an attempt to redirect users to potentially malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9904

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=nikki+quiz+on+miraland+answers+2020
    • https://losuwigawoje.weebly.com/uploads/1/3/5/3/135304717/9585365.pdf
    • https://cdn.sqhk.co/pefatipi/cgcgfNL/vasugedi.pdf
    • https://cdn.sqhk.co/momajuxu/g6Wgiha/venus_flytrap_care_outdoor.pdf
    • https://bageriwiko.weebly.com/uploads/1/3/2/8/132814239/dbf675.pdf
    • https://satemegozujig.weebly.com/uploads/1/3/4/4/134477909/mavuse.pdf
    • https://cdn.sqhk.co/lusimalifa/jhhIhid/10439148462.pdf
    • https://gawajofanobovap.weebly.com/uploads/1/3/5/2/135296378/7539323.pdf
    • https://levapexufusetij.weebly.com/uploads/1/3/4/9/134904519/5c37ceb16d18af5.pdf
    • http://reduslimitaly-official.website/muslim_travel_guide_busanycn7l.pdf
    • http://wisecredit.info/microsoft_online_cover_letter_templates1h3zm.pdf
    • http://sandwichhq.club/french_grammar_revision_worksheets1i8u3.pdf
    • https://cdn.sqhk.co/ludukuni/hBjhjer/open_universe_definition_astronomy.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.thdl.org/http://www.thdl.org/Tibetan
    • http://fedorahosted.org/lohit
    • https://ca3ec1ac-6ff7-4c8f-ae0f-86a30d86e335.filesusr.com/ugd/3615fb_8c56bbbc8b194397ac721693574f4d2b.pdf?index=true
    • https://144c9d4d-401b-437b-b89f-6a5816d7da47.filesusr.com/ugd/cd33f5_5df99686a03e48e199e72b74919761eb.pdf?index=true
    • https://2ddedb0e-b7b0-41c9-a8bc-c018bd0e6e4c.filesusr.com/ugd/70094d_dacee7fcd16847bb8473c6ce72c08f1f.pdf?index=true
    • https://fa202315-5cd5-4006-9a99-7c5d4406650e.filesusr.com/ugd/61804c_52bbb42443cf453c805026fa09d0097d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://www.gnu.org/copyleft/gpl.htmlTibetan
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001250c.bin
ad612a1da5b5094016b7e02b8c7d4e626d66343e9b1db5252040acd9c5701072		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1250C 3140 bytes
font_01_sfnt_off0001306f.bin
1307ef509c1549668d99855777caa08eee997793c4f555000784f908c037550a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1306F 5548 bytes
font_02_sfnt_off00014311.bin
78c74b1e4242eee23266b5e720e75f15d9ecb536dcdd927ea26c734178fafca6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14311 6220 bytes
font_03_sfnt_off0001523d.bin
54cacd53223b2bc8d1c431f9f650cee10ce9541368364fdbbf68b9ebbbeb9bf5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1523D 10272 bytes
font_04_sfnt_off00016794.bin
57f3b4d45ddd07b0d33da2fef54a589b1d3ad48efdda6101d336edd91a818376		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16794 2444 bytes
font_05_sfnt_off00017173.bin
beab4b7024beae80184c21e5c04fae9625d0006fd8629ea42701ca3b94accd5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17173 11908 bytes
font_06_sfnt_off00019a68.bin
33fa2ab00926ea183f90fca9ad30c678f64deb1888c94c4f4f07fd31f9c619e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19A68 17568 bytes
font_07_sfnt_off0001b51e.bin
80dfab9842fa4c5e0b6c011d396fb0db0b4e8970bdd700b4c23fc12015a9e449		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B51E 2244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.