Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec2b657c20d06db0…

MALICIOUS

PDF

91.3 KB Created: 2021-04-08 16:54:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 741835b613d2deaf9788599df4972da5 SHA-1: d19222e3d4689b7fac6ae3c2801725b6545e330e SHA-256: ec2b657c20d06db0950daa68bde55359b36a0c2984fd05f3e325909ec7a467c8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are dynamically generated, suggesting a link farm or SEO manipulation tactic. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and heuristic firings point towards a malicious document designed to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=is+one+punch+man+available+on+crunchyroll
    • https://labegemi.weebly.com/uploads/1/3/4/7/134709462/9670712.pdf
    • http://qqkaxes.xyz/88822383691l0r16.pdf
    • https://kazerefe.weebly.com/uploads/1/3/1/0/131070627/gonalus.pdf
    • https://sirowatogiwu.weebly.com/uploads/1/3/2/8/132814809/d8429fa1c021d.pdf
    • https://zujuwaxi.weebly.com/uploads/1/3/5/3/135307850/9a6057cc9bfbe88.pdf
    • http://rimonevo.iblogger.org/cg_vyapam_cmo_admit_card_2019.pdf
    • https://kaxinobo.weebly.com/uploads/1/3/4/4/134479785/zibexu.pdf
    • http://idealica-ituficiale.website/google_form_sign_in_sheetp3s2q.pdf
    • https://nodokesomizi.weebly.com/uploads/1/3/4/6/134656280/062820.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_31801c2158e74b6d88ecbf6f65a03ced.pdf?index=true
    • http://tonunipuwe.rf.gd/japan_guide_tokyo_subway_pass.pdf
    • http://mafatiwi.rf.gd/descargar_whatsapp_plus_azul_para_android.pdf
    • https://uploads.strikinglycdn.com/files/02b201e1-4eb2-41ab-bd95-4cb9ca5f7956/3975190095.pdf
    • https://uploads.strikinglycdn.com/files/ce9eb0de-915d-45ba-ae1d-66bcec0b803a/how_does_the_decision_tree_algorithm_work.pdf
    • https://uploads.strikinglycdn.com/files/7decf0a7-d3d5-48e9-bb68-228c8ffda37d/suzipeluwegume.pdf
    • https://uploads.strikinglycdn.com/files/20b9159c-25de-4355-aea1-ea5ed630cf81/funny_short_stories_for_high_school_students.pdf
    • http://sefamuw.rf.gd/what_are_the_benefits_of_joining_the_daughters_of_the_american_revolution.pdf
    • https://uploads.strikinglycdn.com/files/7e71725a-bc29-435d-a9a9-41a52b9eb189/new_moon_rituals_august_2020.pdf
    • https://f5d5bca3-0ffd-41e3-a77d-3d805a1e43e5.filesusr.com/ugd/4e23ca_b79f2d519ce8465db668c5ad3c6666f6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed3d.bin
33b980edce442073d642ac5f4afa8f05e8cf44d31030cdb2cfd389c9919dca99		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED3D 10808 bytes
font_01_sfnt_off000110d9.bin
c24560d53bae2e0e1277191b4de815c8a5e49492720ec5049a90a9f2f839da6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110D9 5412 bytes
font_02_sfnt_off0001231d.bin
93ffdf1d749218f7ade41f5593caf63352d0c06e1cdaed4ba77c95e3588b5ad6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1231D 11376 bytes
font_03_sfnt_off00014a3e.bin
1572f1bef06e94643c552f70f3ef07ecee9bf7de88dacbdbabe2fa1db5c51cc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A3E 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.