Malicious PDF — malware analysis report

Static analysis result for SHA-256 faf0bf47b667241e…

MALICIOUS

PDF

81.0 KB Created: 2021-03-19 20:53:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 123a78362bbc62bc0dbaaf1e64578134 SHA-1: cf602fc4c8726dc23208cf2ff734050b9f6429ac SHA-256: faf0bf47b667241eb491a44bc67883c11905ed415543747e7f6058f315b01b2d
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous external URIs, with one pointing to 'seumenha.ru', suggesting it functions as a link farm or phishing lure. The presence of embedded URLs and the 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic further support that the document's primary purpose is to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=asu+electrical+engineering+online+major+map
    • https://cdn.sqhk.co/gituridewo/cjfWhf3/league_of_legends_wild_rift_free_download_android.pdf
    • http://jesofoma.getenjoyment.net/vemoropen.pdf
    • http://jusojixanona.getenjoyment.net/unit_1_statistics_and_probability_calculator.pdf
    • http://pofuxubilet.sportsontheweb.net/asus_eeebook_x205ta_price_in_nigeria.pdf
    • https://cdn.sqhk.co/kitujesijak/eTgcWEq/52900417313.pdf
    • http://it50save.info/c_language_basic_programs_liste99ej.pdf
    • http://tk-pobeda.site/87599765492p40sb.pdf
    • https://cdn.sqhk.co/bifugudawesu/9B8jcjf/3d_pool_ball_hack_coins.pdf
    • http://psychologyrelax.xyz/tezofoxivodokonox93hn0.pdf
    • http://yachtcharter.group/farmall_h_carburetor_float_adjustmentw5xch.pdf
    • http://frontglass.xyz/694470490640xqph.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c3e9d548-c3bb-40d9-b385-b5eae2df92cc/non-destructive_testing_ndt_market.pdf
    • https://b147a2f3-58af-4013-9def-597e86e94513.filesusr.com/ugd/47d6bb_800ef82b73a64a79a2c843cf7f6a1173.pdf?index=true
    • https://44034db3-6cdd-4729-adf3-7ccd6afcf354.filesusr.com/ugd/9fe9cc_3ce52b938cec495191a5d7d092f5548f.pdf?index=true
    • https://59b7e61f-9850-45ee-add2-e9646db267e4.filesusr.com/ugd/5b9365_d539545f30064aa09424dea9379ce4d8.pdf?index=true
    • https://ab25a8b3-4d80-4d4b-93a1-c1347014fa7c.filesusr.com/ugd/8d0191_b0783b2acd5c493ab03f354a2f8c7601.pdf?index=true
    • https://uploads.strikinglycdn.com/files/95bd1824-4225-47d3-99d1-3007804cd870/lifivanolefutunuwewugozed.pdf
    • http://petojijoxura.onlinewebshop.net/does_netflix_have_too_big_to_fail.pdf
    • https://08202b68-adf4-4b7d-bb06-fcebe54c78b8.filesusr.com/ugd/76dd3d_edf5aee25876495c92246167f6705ce3.pdf?index=true
    • https://c504e2ef-f928-4e80-b5b1-fc05046f432e.filesusr.com/ugd/247f25_b06b2248788f42c98d362e4423787c25.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1cd1ce67-68a8-458d-aaf2-33bdff670419/is_the_chrysler_3.7_a_good_engine.pdf
    • https://ff0b3df2-dc61-4aeb-9024-93fa9b5bc175.filesusr.com/ugd/aa14a9_39bfa51742234484b268ce6ef27b8a10.pdf?index=true
    • https://19972ee8-34f0-4900-8009-9f590161cd02.filesusr.com/ugd/64db51_1eac54252bf548c9befed6df8c070b04.pdf?index=true
    • https://f45985d3-969e-4a4b-a16b-f92b7c881388.filesusr.com/ugd/20da2d_4aa4d4ce68c64d87bb658f7a50e30cb7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa61.bin
c0b8c7ff4d2dcdf25837b75fbda35fef0f6830f452b1cc1c177b179f85c3e98d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA61 5316 bytes
font_01_sfnt_off00010c69.bin
a397638541724e186dac669990e82bc110b30d093a406a6a54af632eb59f7a68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C69 11576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.