Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb89d6a6073a2811…

MALICIOUS

PDF

88.9 KB Created: 2021-03-23 08:52:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e482cc072adfd051433f5718577ab412 SHA-1: 2aa1468b4fdb8d8cf638fd2e326563ef5eef46b8 SHA-256: eb89d6a6073a2811f9b3604ce008024a76f48c98fa1ddb12e313ce10d4383581
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to benign-looking PDF files, but one suspicious URL is present. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, suggesting a link farm or redirection mechanism. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution via these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=exercices+sur+l%2527+article+partitif+pdf
    • https://cdn.sqhk.co/xawobovuji/hdd6ihf/70528305864.pdf
    • https://werijininen.weebly.com/uploads/1/3/4/6/134635560/408126.pdf
    • https://cdn.sqhk.co/wixikinotu/iihhegd/10504292318.pdf
    • https://cdn.sqhk.co/dezorevukor/if89gj6/20188993768.pdf
    • https://cdn.sqhk.co/genopeno/fhhiiBF/2540820759.pdf
    • https://norabemomo.weebly.com/uploads/1/3/0/9/130969424/xazif.pdf
    • https://pavonaxasove.weebly.com/uploads/1/3/5/3/135310158/dugesivenasudu_netefesuvowig_wekugutalefij_zesoxewoj.pdf
    • https://cdn.sqhk.co/zofizitene/HeOqhg2/splashdown_tower_park_slides.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bdd99400-21ae-4b6f-9dac-806e4972204b/vibali.pdf
    • https://uploads.strikinglycdn.com/files/457faee4-6dfe-4e83-81a5-614703fb70da/timex_ironman_watch_battery_life.pdf
    • https://18574fdc-dbe8-4f24-a3f7-ab3d6ff540e7.filesusr.com/ugd/d45bfa_3db8ba5e09274beb8cb5eb1ae7933eba.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8ce5bf8a-e576-4a93-9dc4-26dc03619cd7/92473461489.pdf
    • https://uploads.strikinglycdn.com/files/e37cb40e-3926-421d-aeda-2f705618f608/42848699211.pdf
    • https://uploads.strikinglycdn.com/files/d9ba6430-3e1a-435e-92f0-8cd0ae2b1a9d/why_is_my_fan_not_spinning_on_my_ac_unit.pdf
    • https://uploads.strikinglycdn.com/files/32a5dd22-0c17-4ab0-909c-ca357d1d8e5a/gorup.pdf
    • https://uploads.strikinglycdn.com/files/2ca24a58-cf77-4e09-9aa2-4f4ef02be4f9/bissell_proheat_2x_revolution_pet_pro_replacement_belt.pdf
    • https://b6de9e3f-c562-4e05-b5ee-70895c8060ae.filesusr.com/ugd/3801ff_c49aa781011e481d82ea1629260db1bc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ef693560-e9f9-45b3-aeb7-0d9af2214b5a/among_the_barons_summary.pdf
    • https://1801fa0f-56e4-4894-8452-b8e06651d4be.filesusr.com/ugd/868401_16aacaf41e9045879262310ccdf94512.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5f02f616-f9fa-4e99-a597-fe20863e0426/86966614569.pdf
    • https://ddb281da-11d2-423e-b83a-408ecf1f607f.filesusr.com/ugd/9db61c_22c146412e7e4b5398c0f264ab13f7f2.pdf?index=true
    • https://ebbb41b5-b8b7-4bfc-9e1b-23e79ad93844.filesusr.com/ugd/5eba67_22851eabd1df432ea4c73d3f1cfac66e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c680199c-4cf1-4a2a-92a1-6077e4606cfc/tamaz.pdf
    • https://uploads.strikinglycdn.com/files/e44d8d0f-62cd-4dd2-9e97-83cf1aa06f7d/casio_classic_w-800hm-3avef.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001180d.bin
991c1b9b1563381db791a80544e966de2862c1f358853e64e3d85c89f820dd78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1180D 5208 bytes
font_01_sfnt_off000129e4.bin
523297db611d23620545eb801c0e2c0c8a79a5ce811da2728e8fd485325818c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x129E4 13756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.