Malicious PDF — malware analysis report

Static analysis result for SHA-256 f468eceb69ecf1e4…

MALICIOUS

PDF

73.0 KB Created: 2021-04-04 17:00:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 33cf5eff6ef71b3e62a3128f02367eb0 SHA-1: 7e74c65b7768915a9b811562ac0c08981e1de1a5 SHA-256: f468eceb69ecf1e4242d0ee02fef8a201f43ff0a443e562664e9842202da1d89
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded external links, many of which are SEO-focused, suggesting a link farm or phishing attempt. The ClamAV detection and ML classifier strongly indicate maliciousness. While no scripts were directly extracted, the PDF structure and embedded links are indicative of a phishing lure designed to redirect users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=global+competitiveness+report+2016
    • https://cdn.sqhk.co/xuwolegu/dij1gck/best_country_music_videos_2019.pdf
    • https://cdn.sqhk.co/mivijigonof/ifghTjc/pisaxita.pdf
    • https://cdn.sqhk.co/gijimexuv/ghEtxNr/12358772903.pdf
    • https://cdn.sqhk.co/zubavagi/gjjAQpx/vomebowajidamub.pdf
    • https://cdn.sqhk.co/fodumisux/2qghugd/fernanfloo_geometry_dash_nivel_demoniaco.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/paxunu/how_much_does_a_monat_rep_make.pdf
    • https://ebba3e40-d49f-4cc8-b137-373bb1124918.filesusr.com/ugd/384ea4_5317e83d8ba44c74b67bb52bdbb3749e.pdf?index=true
    • https://01ff271a-2d66-4e22-ac0f-a796646d2f56.filesusr.com/ugd/8d93e9_f6cd583b6e644752b407d0f726a3866a.pdf?index=true
    • https://696f1bd8-06c3-47a7-a8f7-e83e17ec8d18.filesusr.com/ugd/5ad03d_e9405f0899c94b02ad107f255a787055.pdf?index=true
    • https://s3.amazonaws.com/jafujasiwetid/90900019039.pdf
    • https://d5cf7a15-73c9-49c9-ad57-d4f0303abb0c.filesusr.com/ugd/0d002d_5b6f6ba2cfca45c4a32fd5133d4618e6.pdf?index=true
    • https://s3.amazonaws.com/gomakobez/nejozononixikimanavorerol.pdf
    • https://uploads.strikinglycdn.com/files/b54ef8f3-c7d8-43bb-98fa-30a85debff14/gadamer_truth_and_method_download.pdf
    • https://0f0532cb-4478-41f9-91a1-cf277c4732ec.filesusr.com/ugd/8acad3_0d969bbe212f427aa30bdc49d9f2f362.pdf?index=true
    • https://95a83a18-022f-4aa5-9dc2-588eac4c5c4a.filesusr.com/ugd/ccb6ab_26659b5605df469b8b89939e741f180b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c1177662-d0e1-4976-acb3-14635964f2bc/64222331675.pdf
    • https://8a7e94d2-1b07-4399-8a7b-cfebf1eb419e.filesusr.com/ugd/e78b77_ec57c6afeca84920b3473d0a38ccd2e7.pdf?index=true
    • https://s3.amazonaws.com/rurovikejigibu/legaxe.pdf
    • https://08202b68-adf4-4b7d-bb06-fcebe54c78b8.filesusr.com/ugd/76dd3d_146773574cd64259a7936a50ad891aea.pdf?index=true
    • https://cf2e1f24-e5f1-4289-9567-3affce9c164e.filesusr.com/ugd/a4ea6c_f335d1732d954090a6fa9e2256694b39.pdf?index=true
    • https://2a009ac4-5770-49f2-ae16-4ce107243443.filesusr.com/ugd/59deca_8a72169ab7b74a33bb80f2f01c753c21.pdf?index=true
    • https://cfff6b0e-fc0f-4d9c-a983-c0e60c8b2bfd.filesusr.com/ugd/c637e3_00f37cdaf3664d869b0e9439eab92f55.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2fab0f82-47a0-4756-9204-63da6632fc33/54457703027.pdf
    • https://318abaa7-a496-4882-a5ef-186b1d719b20.filesusr.com/ugd/ff2e65_299466814bca41a38ba8db74b144171a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db51.bin
ec08727983582781f58f9c3d0e78b799448f4c582187f5dfa9feba6db288541c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB51 5788 bytes
font_01_sfnt_off0000eef3.bin
f7e8d9f2965519f5e7a7ccb40a6ef58af52d1586b8e618122ef13ebd82fe05df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEF3 11044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.