Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8e5f330649471c2…

MALICIOUS

PDF

74.0 KB Created: 2021-03-19 06:20:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fc5abbdba8143dc364842006154f0dba SHA-1: 80390dd787f9c118854a1cdef332a7beb5ed3810 SHA-256: e8e5f330649471c2babf14822bae782dcca9d8de0cb697a844e53811ff212e99
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier. It contains a large number of external links, many pointing to Weebly-hosted PDFs, suggesting a link farm designed to host malicious content or phishing pages. The embedded URLs and the PDF structure indicate an attempt to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=gina+asma+2020+pdf+portugues
    • https://gofazawadatefit.weebly.com/uploads/1/3/5/3/135349405/c2469292b7a9.pdf
    • https://lafadulow.weebly.com/uploads/1/3/4/5/134591129/bukem.pdf
    • https://rulipativix.weebly.com/uploads/1/3/1/6/131607363/fegimuko_pozir.pdf
    • http://freud.icu/award_certificate_template_word_freedewiv.pdf
    • https://manujemupofux.weebly.com/uploads/1/3/0/7/130738512/5651048.pdf
    • https://ximepovefuvaxoj.weebly.com/uploads/1/3/1/8/131856443/66da2fe7379e.pdf
    • https://ponozivodu.weebly.com/uploads/1/3/0/7/130775347/puxel.pdf
    • http://e-devletodeme.net/red_cross_first_aid_certification_onlinela1q0.pdf
    • https://lijowuvum.weebly.com/uploads/1/3/4/6/134624244/1808803.pdf
    • https://static.s123-cdn-static.com/uploads/4406168/normal_600302bfca2d4.pdf
    • https://tedipoji.weebly.com/uploads/1/3/1/4/131408178/5758e22ad.pdf
    • http://grusha.space/snow_white_princess_miku6zdxp.pdf
    • https://static.s123-cdn-static.com/uploads/4445125/normal_5ff94263a6c1a.pdf
    • https://static.s123-cdn-static.com/uploads/4417669/normal_5fcbe599981e2.pdf
    • http://lnstagramverifiedbadge-media.com/high_school_physical_education_lesson_plan_templatee3c1a.pdf
    • https://fuxiwajusefu.weebly.com/uploads/1/3/4/6/134617271/4b33be02d10accf.pdf
    • https://jijaxiwiruba.weebly.com/uploads/1/3/5/3/135333012/58352.pdf
    • https://cdn-cms.f-static.net/uploads/4366359/normal_604a241e8b6a1.pdf
    • https://cdn-cms.f-static.net/uploads/4471971/normal_602ae779c00f9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e1d1066b-4419-41ed-bb3c-fde1ad7af69a/proform_tour_de_france_clc_indoor_cycle_review.pdf
    • https://uploads.strikinglycdn.com/files/f04fc732-f00e-484a-81ec-6b87bde4ccff/9103030033.pdf
    • https://b6c9d0de-81a1-4db9-ab7d-8a95af9e63d6.filesusr.com/ugd/b28ae2_9a246548d66142098240012d727213ea.pdf?index=true
    • https://5548a280-a194-4776-8019-0e256783c1fa.filesusr.com/ugd/f2c1dc_b583187bdc8d42cfaacdf81a50e0d6e5.pdf?index=true
    • https://a765b249-d442-4b07-8ea9-8318d996b894.filesusr.com/ugd/902d29_8b7de725d7c94d75aa4b7049353a39d1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e78955ba-f9c5-4cc2-9351-1acf13dd665c/insinkerator_evolution_select_plus_vs_essential.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddd3.bin
62dea6daeca288a97cc58fa3d95c43532a1263da99856111fb258768951b78c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDD3 5636 bytes
font_01_sfnt_off0000f0ea.bin
f129d21224ca95e4f62cc6b7ff344079fd43317e5463208ed4f5606b41e4e659		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0EA 13344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.