Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef10eb6a0d30d41b…

MALICIOUS

PDF

85.1 KB Created: 2021-03-14 16:15:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0b1f0d0e0564e6cbd135346ac7a0473e SHA-1: 71e6fc94c280bd72d619a7dce35d04caa4f0df37 SHA-256: ef10eb6a0d30d41b75d70f99460993266ae5c5ecd2207532f0f8ac0f51c8d48e
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, with a primary suspicious URL pointing to a site offering a cracked application. Heuristics indicate this PDF is a link farm on disposable hosting, and ClamAV detected it as a phishing trojan. The ML classifier also strongly flagged it as malicious. While no scripts were directly extracted, the structure and embedded links suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9955

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=reshape+beauty+plus+apk+cracked
    • https://cdn-cms.f-static.net/uploads/4450156/normal_5fda3d03d05e1.pdf
    • http://sevowina.medianewsonline.com/sotefavagob.pdf
    • http://mokaxizekebade.scienceontheweb.net/what_is_a_food_chain_for_grade_3.pdf
    • https://static.s123-cdn-static.com/uploads/4376612/normal_5ff2e065183d9.pdf
    • http://zipafaxelati.sportsontheweb.net/96926731708.pdf
    • https://static.s123-cdn-static.com/uploads/4473938/normal_5fc98db8945f5.pdf
    • https://cdn-cms.f-static.net/uploads/4412394/normal_6022dc75a1b61.pdf
    • https://cdn-cms.f-static.net/uploads/4451363/normal_5fd102efdcc7b.pdf
    • https://cdn-cms.f-static.net/uploads/4406793/normal_60490f94c6bdb.pdf
    • http://xulubapatoso.scienceontheweb.net/jowupesanul.pdf
    • https://static.s123-cdn-static.com/uploads/4380699/normal_6000fd36bec97.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fenatagazise/kewoboxus.pdf
    • https://6200e599-3f2f-4e3e-ab45-e6977ed7e777.filesusr.com/ugd/f8de3e_7ea864c122be4fc683a8d0e7d5f7976e.pdf?index=true
    • https://s3.amazonaws.com/dapekufoxiraku/altered_carbon_book_parents_guide.pdf
    • https://s3.amazonaws.com/domegagowevag/whatsapp_plus_apk_latest_version_apkpure.pdf
    • https://uploads.strikinglycdn.com/files/c7c891d8-04bc-4b19-a336-d7dfbd2ac2ba/85971896098.pdf
    • https://7e073981-ad1c-4081-8dc0-76946ba36063.filesusr.com/ugd/c4f63d_aebc780209dc43a19c69689f4cb1f304.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7349e443-d6ee-4ff2-935d-22b897afbdad/zolatoxumifazaxikevu.pdf
    • https://s3.amazonaws.com/dosipive/leadership_coaching_guide.pdf
    • https://c8019651-2137-4367-b38e-775fff3f8a75.filesusr.com/ugd/fc5a02_3ead866e1fb3468fa091a6a8a598e34c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/59ff6b5d-be8b-45ec-9c15-382e8e79ff87/best_hotel_booking_app_in_india_2018.pdf
    • https://s3.amazonaws.com/paropabaru/39038339729.pdf
    • https://6478d21b-237c-41b5-add8-96d7b9819624.filesusr.com/ugd/c7ef1a_45d0fc4d2d8a489d9efa3f13bdc960d7.pdf?index=true
    • http://siniligavaxuvul.onlinewebshop.net/99790274542.pdf
    • https://5a2ada08-5b6c-402a-b0df-3636415b461e.filesusr.com/ugd/434ae6_c42ce21075a341e58def3768e8effc3a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/37ad1e40-b725-4d68-ba67-c19e0542918d/pokemon_sun_and_moon_starters.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f786.bin
b30805612b04981fa894f8f4fc3e379d543074a6659765262db1481d2444f524		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF786 5472 bytes
font_01_sfnt_off00010a1d.bin
d2031c1719840c75b02ada514e3bc1d0b3b7c084f2a1be00eb9ef3f3cf26acb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A1D 11860 bytes
font_02_sfnt_off0001316b.bin
7e63eb3bed9c4ceaf47e86587cf77a789dba98dd2b4db382f0c7f052a0aeb8ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1316B 16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.