Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb39cb570ce3732f…

MALICIOUS

PDF

85.4 KB Created: 2021-03-11 18:41:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c871b5bc36ebe5df45a5677c7335b0ed SHA-1: 05715b069738989a73a551bf289ff6ac8c9483e8 SHA-256: fb39cb570ce3732fea25081c7144a6945b75f97d71685547ba511307d89e25ba
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document contains numerous external links, with a significant number pointing to PDF files hosted on suspicious domains, suggesting a link farm or SEO poisoning tactic to distribute malware. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a phishing or malware distribution attempt, likely leveraging embedded JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=aligarh+movement+notes+pdf+in+urdu
    • http://yogist.fun/fafezinegupamipulixonirx1zv.pdf
    • http://levelupguild.com/tisefegenorizowozafunu9cfcb.pdf
    • http://cheatyou.site/soxiliwenusukevifalipimysghr.pdf
    • http://raisinslabs.club/wedupan5uoh2.pdf
    • http://shtangye.xyz/convert_unit_rates_worksheet_7th_gradeu1iqz.pdf
    • http://presalle.xyz/trigonometry_identities_for_class_10thujkay.pdf
    • http://taptopbot.com/sevamipalijuv4i8b.pdf
    • http://buyfastedcircle.xyz/eclipse_free_64_bit_zipxkc0s.pdf
    • http://muldwych.com/mabenifuxixasawezinabd9he8.pdf
    • http://yourbigdick.space/vuzafafjy25.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b004589c-d73a-4873-90a9-dcae3367ecae/53669622654.pdf
    • https://68fdcf0a-b1f0-4758-9edf-48d2be6d990b.filesusr.com/ugd/ac51ce_eeb6d11414b540ad9ae47fc36b549f60.pdf?index=true
    • https://c145ee04-3c3b-4786-8b94-e0511401b322.filesusr.com/ugd/de65f7_8fe222103bfe4ca3bf10db5386df8c5c.pdf?index=true
    • https://5b949be5-44ef-49af-96c7-0ebaa8fe632e.filesusr.com/ugd/3402b1_46d0adf0780b49448d11dc19f8ca2d2c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/24deb0c3-77b9-44cd-8f63-a6cdd82be306/41734938094.pdf
    • https://182222a4-a7a4-434f-839c-7103b506edb5.filesusr.com/ugd/224a67_31f7dc40c1c64c3fbed6fb92c0e51bc4.pdf?index=true
    • https://551f0ad2-75d1-4009-b90b-2f3e3e20230b.filesusr.com/ugd/c2bf0a_8168af1ce9b7486cb125716ba16f5e04.pdf?index=true
    • https://uploads.strikinglycdn.com/files/144664a7-71be-4322-847e-22737837a85b/41043523820.pdf
    • https://f6ce3cfb-f922-470c-9e0e-eaf724001b0e.filesusr.com/ugd/defcb2_1a67b08938204b93b02b94f24599805f.pdf?index=true
    • https://7404da97-7fcf-4d5f-9d5f-3f8644e6773a.filesusr.com/ugd/35f767_0f4887a8f44c408999bf31fd19dd594b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/39397a1f-e91c-4631-a9eb-5ca3c460a875/78958179990.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011178.bin
30e84c5d897e098312ebe8d326159bc368874113ad8693b3356107efa67efa85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11178 5504 bytes
font_01_sfnt_off00012413.bin
59b92e2f341bc1778142f68b5786ba32f2b0bb0a5eff2906c8dc57c586dbca6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12413 10724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.