Malicious PDF — malware analysis report

Static analysis result for SHA-256 e696f33dcbe61fb3…

MALICIOUS

PDF

73.8 KB Created: 2021-04-02 00:45:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 92990223543fa114ba78548ddb52bfd6 SHA-1: 29321fc6cfec4fdd217e6bda6786845b4733daa0 SHA-256: e696f33dcbe61fb3c4764e993ca83456eafb634b2baf4279b160924b8edfd8df
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a common tactic for phishing and SEO link farms. The embedded URL and the heuristic firings strongly suggest a phishing attempt disguised as a search result. While no scripts were explicitly extracted, the presence of external links and the ML classification indicate malicious intent, likely to redirect the user to a compromised site for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=what+is+the+standard+size+of+a+pack+and+play
    • https://xuleminemixek.weebly.com/uploads/1/3/5/3/135333740/wetisuga_tomagof_nulojowomiduzak.pdf
    • https://cdn-cms.f-static.net/uploads/4454965/normal_5fd31489381a7.pdf
    • https://cdn-cms.f-static.net/uploads/4379960/normal_601e4ade62a95.pdf
    • https://cdn-cms.f-static.net/uploads/4473963/normal_5fe758480df21.pdf
    • https://cdn-cms.f-static.net/uploads/4451047/normal_6019beab58533.pdf
    • https://static.s123-cdn-static.com/uploads/4495696/normal_5fce971a5b79e.pdf
    • http://pobadabodoz.scienceontheweb.net/beginners_guide_to_investing_in_stocks.pdf
    • http://balegetiwep.mywebcommunity.org/bodyweight_strength_training_anatomy_bret_contreras.pdf
    • https://cdn-cms.f-static.net/uploads/4490752/normal_5fd65b05c8a11.pdf
    • https://static.s123-cdn-static.com/uploads/4390057/normal_5fffc8f0f225d.pdf
    • https://lakaporizad.weebly.com/uploads/1/3/4/2/134234628/gerosafa.pdf
    • https://cdn-cms.f-static.net/uploads/4377098/normal_601469388228a.pdf
    • https://cdn-cms.f-static.net/uploads/4378857/normal_602ae12e5429c.pdf
    • https://gosedizomomusuw.weebly.com/uploads/1/3/4/3/134313056/3420319.pdf
    • https://static.s123-cdn-static.com/uploads/4469358/normal_5fcc368a0a0bf.pdf
    • http://zoxuruje.sportsontheweb.net/raxedirifazu.pdf
    • https://vusugurubem.weebly.com/uploads/1/3/0/9/130969976/5599565.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fe92b815-f0fe-4223-924b-659339f44b90.filesusr.com/ugd/8f64fc_794b5400dde54212a9edaa166fedc7f2.pdf?index=true
    • https://0491f86b-060d-4f4a-be23-b0d01488777f.filesusr.com/ugd/faa7ef_99fc99539662407ba294b0b3ae5f3dd1.pdf?index=true
    • https://41fe7446-7195-45c8-906d-de5e784989f9.filesusr.com/ugd/e02969_ab6089a156474f6b924f92390985d8d4.pdf?index=true
    • https://e114ad41-1367-46fe-a5fd-427bf640f69d.filesusr.com/ugd/a63c55_b8e861ed8e78442da858e3b13cca336c.pdf?index=true
    • https://441768bb-9839-4df4-8f78-dd1233b527f6.filesusr.com/ugd/7e6080_2a7eb9054532453cb1fb246ea8b191eb.pdf?index=true
    • https://dc688580-c0ec-4ade-910b-7abffd870ab4.filesusr.com/ugd/096b61_200193850f7a4e4285350567b86e2b7b.pdf?index=true
    • http://sawurawefivovo.myartsonline.com/32269341585.pdf
    • https://ecc4b077-82d2-4cf1-ad45-1e482560a890.filesusr.com/ugd/5d7ac5_f745ab7d7b5843caaca52464f41d5de0.pdf?index=true
    • https://b8436764-02b3-4471-8711-1e8fed235cf0.filesusr.com/ugd/3b3fbb_f89622c8059740cfbe45a4f9600fdee7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e10d.bin
2e308e8fb9ade67917cc89b450910a8421e0d7898a91e2599d79ff894074152b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE10D 5472 bytes
font_01_sfnt_off0000f3c5.bin
218c78a12903709837e4f6f45a97496486d5725b639c11e7ea6c48dda29c449a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3C5 11128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.