Malicious PDF — malware analysis report

Static analysis result for SHA-256 f52f9600a8135c46…

MALICIOUS

PDF

85.4 KB Created: 2021-03-25 00:14:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0107ae4e6110b8a4377611529ea71cbc SHA-1: 4f4e2831a42ed242e1566d63d3c553355ea3d045 SHA-256: f52f9600a8135c466c6c220a234bb1add6f81c5a04c026a0955d1170702f34ae
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, many of which are likely part of a link farm designed to improve search engine rankings for unrelated terms. The primary URL points to a resource that appears to be a lure for downloading a syllabus, but it redirects to a collection of other PDFs. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or SEO abuse for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=upsc+maths+optional+syllabus+pdf+download
    • https://cdn.sqhk.co/jeporikate/gzOkAsU/novo_cinemas_manar_mall_north_ras_al_khaimah.pdf
    • https://cdn-cms.f-static.net/uploads/4446490/normal_600f2955c2760.pdf
    • https://static.s123-cdn-static.com/uploads/4379971/normal_5fe2ce54d85ac.pdf
    • http://wamijuw.22web.org/assembly_drawing_tutorial.pdf
    • https://cdn.sqhk.co/tinupolureg/aDqgdjb/25818017197.pdf
    • https://cdn.sqhk.co/jutigurotow/ifjNJhe/86021219443.pdf
    • https://cdn.sqhk.co/dabebasavus/ERgiUid/zamewuri.pdf
    • https://cdn.sqhk.co/nojedajoze/dLhjpqz/moemon_heart_gold_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://793776f3-68b4-44d3-947a-596ce2c6f652.filesusr.com/ugd/4e977a_e64ab14c97df4f288feb6ff1911df3b4.pdf?index=true
    • https://1c92f6d8-19eb-429c-9239-1cf6be91372f.filesusr.com/ugd/cc1a03_a09321d39b8f4a0b9ad659ec54f5e9d4.pdf?index=true
    • https://64f1e6a9-4530-4009-9f9b-67b91dd69f79.filesusr.com/ugd/76b6de_df2bc2a5d106452da70ebcfe57c8488e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0c809053-df6f-4eb8-ada9-2e3a33e31164/how_to_hook_my_directv_to_the_internet.pdf
    • https://ede8a7a3-2377-4e09-926a-401222b31c25.filesusr.com/ugd/81c89d_4aa0b6497eca494fa97fbd2944bfa3f2.pdf?index=true
    • http://jizowasogafiw.rf.gd/anjali_anjali_song_flute_music.pdf
    • http://livigoguja.epizy.com/79353787535.pdf
    • http://gilebufamefaf.rf.gd/zaduwobexu.pdf
    • https://uploads.strikinglycdn.com/files/94d6ac9d-6637-4c14-a6f0-62f46da86c62/how_to_help_safe_haven_babies.pdf
    • https://uploads.strikinglycdn.com/files/ce91247a-b12b-47f0-bbde-daaa0ea1ab80/dapepugumutezuw.pdf
    • https://9e2901ea-5d25-41a5-867c-54d0774c6e48.filesusr.com/ugd/4d0f37_fd49465eeaf449fd969348407892f617.pdf?index=true
    • https://36071b1a-d853-4ad1-bccf-0ed894d94038.filesusr.com/ugd/906e9f_b20c29e784fe42aca19f5b6d3be0218e.pdf?index=true
    • http://tosopipates.epizy.com/dobokawijizaxolijojus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011051.bin
a471d404c89d6494988a1282592ab917a35a835eb087e59ec1904858e41181bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11051 5624 bytes
font_01_sfnt_off0001235c.bin
935aaa090dcd3cb524371db869de9ae5aa4c95e949b25fe1d9debfceffaf35b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1235C 10828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.