Malicious PDF — malware analysis report

Static analysis result for SHA-256 e48df558301a0b38…

MALICIOUS

PDF

79.7 KB Created: 2021-05-18 00:19:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 1a43b899d4c304e75045e2352cf6a27d SHA-1: 6a32e3299444c7f61cb8ea22a2a8cc97882b367d SHA-256: e48df558301a0b3854155d8a082f930f0dde8f9c47fc2370b627dcc3edfb9d93
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, many pointing to disposable hosting, suggesting a link farm or SEO manipulation tactic. The heuristic 'PDF_SEO_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM' strongly indicate this malicious intent. While no scripts were explicitly extracted, the presence of embedded URLs and the ML classifier's high confidence score point towards a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=goal+setting+activities+for+special+needs+students PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4463279/normal_5ff0094bc5eb8.pdfIn PDF document text
    • https://gugivubur.weebly.com/uploads/1/3/4/3/134390132/e5fd0ff12f5a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408858/normal_604048e0828bd.pdfIn PDF document text
    • https://rezezeveg.weebly.com/uploads/1/3/1/8/131871466/1868465.pdfIn PDF document text
    • http://sobebal.22web.org/pikewedadimipudavi.pdfIn PDF document text
    • https://juxatameserog.weebly.com/uploads/1/3/0/9/130969062/jidefosup_zusuterefu_xugoniz.pdfIn PDF document text
    • https://gikemadisasov.weebly.com/uploads/1/3/4/6/134667176/4181f586b1a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4393761/normal_5feb1e3f094ba.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369760/normal_604197e45f0d5.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e6e1f438-cd8f-461d-86d9-557a017f4a98/perdon_chiquis_rivera_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/16015865-ce58-474a-8859-0f54b37f5bd6/miwawupalivazexubomaza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/36fbe4cb-f0aa-4012-968f-c54b0da6d2ed/how_to_reset_the_maintenance_required_light_on_a_2009_toyota_prius.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/24854ec3-4108-4058-be08-42d50aeeec3d/padi_open_water_diver_manual_ebook.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/096d0e73-9cca-46f2-ad72-056a55c47b0c/42626738899.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44c1b3c0-2d8e-451c-a11c-842a8f9a0207/what_is_the_importance_of_knowing_the_principles_and_elements_of_design_brainly.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d26f66e9-8684-45dd-af02-768f53dbd479/marvel_movies_avengers_infinity_war.pdfIn PDF document text
    • http://dojeranorered.epizy.com/cessna_206_stationair_performance.pdfIn PDF document text
    • http://mimiwuzoxul.epizy.com/13395381733.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c6e3f420-8f77-47f8-a714-1e39f8061694/u_verse_s10-s3_remote_codes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fe7a656c-510c-492e-bb58-716081cf92b1/harry_potter_book_series_names.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/af2d5eda-74ea-485e-a817-5f38c9bffbb5/wisokos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7cdecc4f-a699-47f3-b00b-558b7827c717/28959166646.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ec402a5-07e0-4d59-b5a1-f72e7dcad0bf/how_did_settled_agriculture_develop_in_africa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5bbad706-9b55-4f43-8c46-f68430fbb4da/little_shop_of_horrors_1960_trailer.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f70f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF70F 5416 bytes
SHA-256: 205235b63d53336760164d983afba8cc0be614cc6d3b1528970d9c9234bd0b5b
font_01_sfnt_off00010998.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10998 10896 bytes
SHA-256: 1b84585974aed422fa4f1ae20841a7a7d601f0171628cf14b6aab669bc44c6f6

Open this report in the interactive analyzer, or submit your own file for analysis.