Malicious PDF — malware analysis report

Static analysis result for SHA-256 fcfe579bc51fe902…

MALICIOUS

PDF

75.3 KB Created: 2021-03-15 15:52:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5140dc337f0303910722ee6b226de0c4 SHA-1: d1e4afd27a0502249f74f56390f3cb4ef785c072 SHA-256: fcfe579bc51fe9024c58ed184b010c6a89e2ca1603f2db90ba65a92647c951ac
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which point to other PDF files, suggesting a link farm or redirection mechanism. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic point to an attempt to disguise malicious content within a seemingly legitimate document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=sociology+a+level+revision+guide+pdf
    • http://duwosolutanuz.mypressonline.com/bodedokuzep.pdf
    • http://xovijezup.mywebcommunity.org/sufapepinavebiruxigena.pdf
    • http://dalosizofovabes.medianewsonline.com/probability_theory_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://460eb545-5389-4aa9-9e78-d1074a8bca0c.filesusr.com/ugd/21a131_e1d2fec085254f07a44cf436953d24c0.pdf?index=true
    • https://bd5e8a39-7345-4d1c-b933-e8ec171ec4b0.filesusr.com/ugd/2dab9e_1bb704b20aa34c3b81d31e075057094f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1776e446-c0c6-4624-8222-8956c30c85f6/7406698113.pdf
    • https://s3.amazonaws.com/toguvaju/65947523342.pdf
    • https://fbaba6ab-37cf-477f-82bd-e10a416eccda.filesusr.com/ugd/3c8574_13ee46f2cf4b482e94e8264f1f6b53bd.pdf?index=true
    • https://s3.amazonaws.com/wiwuxot/english_2_test_writing_effective_sentences.pdf
    • http://wovuluvoju.onlinewebshop.net/70104538994.pdf
    • https://b56e00ce-d729-42e9-814b-b9a4b194f5ba.filesusr.com/ugd/f6f93f_a02dd5e29f9f470a8ecf366da9d9f61c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d58c81c1-9c91-4759-ab73-0646f2998458/janome_hd1000_manual.pdf
    • https://uploads.strikinglycdn.com/files/b2978073-bde2-42e0-9b4f-24598dbcefd0/what_to_do_when_service_airbag_light_comes_on.pdf
    • https://3d3b31fc-6152-41c7-b1d4-a4af3afcce63.filesusr.com/ugd/3f8d85_1fec6ba47ee14825b9ffe8f082201ffe.pdf?index=true
    • https://s3.amazonaws.com/tixeligufokup/whatsapp_free_macbook_air.pdf
    • https://f72b89be-0fa6-41ee-8162-331329ef78ce.filesusr.com/ugd/95089d_fd04dbe381be4b0386e6c49b34203bb7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/05e9ad27-dc9c-4b84-bbee-03da8249879c/20116976786.pdf
    • https://b2f3f1fb-4f3f-4d5d-be65-f5b10dce6288.filesusr.com/ugd/735189_6283e9590ec44e32b97ad5f639fa2930.pdf?index=true
    • https://8ed62699-7d02-4439-b935-4286882ef7d4.filesusr.com/ugd/229b11_ecc5bdb06a1a4d4a85a28d485d9bec67.pdf?index=true
    • https://uploads.strikinglycdn.com/files/90ebc7f3-26c4-4111-91d3-f22875518ecd/how_to_make_google_maps_route.pdf
    • https://s3.amazonaws.com/foneniz/59204630606.pdf
    • https://uploads.strikinglycdn.com/files/34751477-bb7e-4058-ac42-ad3aab49dfd3/how_to_clean_a_hobart_slicer.pdf
    • https://uploads.strikinglycdn.com/files/fdc41d39-9573-48ac-a92d-c52d39cce783/why_is_my_motion_sensor_light_blinking_red.pdf
    • https://s3.amazonaws.com/vifusupegiza/mercedes_benz_c_class_owners_manual.pdf
    • https://a9f3490c-def6-45ea-9957-aefa341d54bd.filesusr.com/ugd/84b587_54a6534107a744569a1984b3058702b4.pdf?index=true
    • https://29159626-56e2-4eb2-a8c1-eb081f451e44.filesusr.com/ugd/a58502_1cf9c27fb4094c8f8b6ce8d11739d9d2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9a1.bin
2b722bdfe52ff25d6b395dad78d1154f7e16c7020360fceea8ff9f80ca4fb597		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9A1 5388 bytes
font_01_sfnt_off0000ebf4.bin
1922bbf64dfc0e540646c52495f917a3b17123afc7186f00088b0f5363719bb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBF4 10924 bytes
font_02_sfnt_off00011109.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11109 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.