Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3c1f71868390cc5…

MALICIOUS

PDF

81.1 KB Created: 2021-02-17 03:55:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 30301b25d7949937bc07a876e2ab2ddf SHA-1: f12e6568d428aa0fb6de64851ddfffedf0dfc20f SHA-256: f3c1f71868390cc521e1650d89795d541b1ec5a066c415436a105338cfeb7680
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are SEO-optimized and point to potentially malicious content, as indicated by the PDF_SEO_LINK_FARM heuristic and ClamAV detection. The presence of a download button lure further supports a phishing or malware distribution attempt. While no scripts were directly extracted, the overall structure and link farm suggest the document is designed to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=drastic+ds+emulator+apk+download+free
    • https://dufofisejufosu.weebly.com/uploads/1/3/4/8/134875198/jukepawugobozo.pdf
    • http://nupubidodeje.22web.org/85048707060.pdf
    • http://nususolajegak.iblogger.org/apache_office_suite_free.pdf
    • https://cdn.sqhk.co/mogezunir/jaSJhip/stickers_kawasaki_ninja_636.pdf
    • https://cdn.sqhk.co/lilavokolet/bvNgfYn/twisted_tea_distributor_near_me.pdf
    • https://cdn.sqhk.co/keximovib/ApjcESb/84220024588.pdf
    • https://cdn-cms.f-static.net/uploads/4371788/normal_5fdbd2457e288.pdf
    • https://fekugutupufug.weebly.com/uploads/1/3/4/8/134876907/koxugo-pumujovinel-lotikesaxe.pdf
    • https://zuwadakake.weebly.com/uploads/1/3/4/6/134664894/soseg-fipedimigen-debekirufud.pdf
    • https://static.s123-cdn-static.com/uploads/4464052/normal_5ff7a442549eb.pdf
    • https://dufemejilesola.weebly.com/uploads/1/3/1/4/131453127/dasadep_dowelisivuxod_zefogorajo.pdf
    • https://cdn.sqhk.co/mikakiraw/hhiYgeP/42694886562.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/xubifupi/form_for_passport_renewal_minor.pdf
    • https://s3.amazonaws.com/vabedafozo/bristol_cathedral_choir_school_sixth_form.pdf
    • https://s3.amazonaws.com/xukonakefules/civics_questions_answers.pdf
    • http://koxosam.rf.gd/wegomokeguputavigid.pdf
    • http://vozuxekeve.rf.gd/45651591934.pdf
    • https://s3.amazonaws.com/rerinago/jimarajeletobemifesasos.pdf
    • https://s3.amazonaws.com/zodererezuzuxi/define_reporter_assays.pdf
    • https://s3.amazonaws.com/zarelusipofox/filijubuzonu.pdf
    • https://s3.amazonaws.com/magapeguwabe/galvanised_corrugated_sheets_near_me.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f34f.bin
e28efb1c2ef32ffc006aa915685bb7508c9e0b7ddc911e5a8584428512e3d5b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF34F 5340 bytes
font_01_sfnt_off0001056f.bin
bb77e734a2975fd198b5711266423520ef6053998ecef884e666b11680ce7755		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1056F 10308 bytes
font_02_sfnt_off00012883.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12883 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.