Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd04437c08af9c94…

MALICIOUS

PDF

99.8 KB Created: 2021-03-10 12:47:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 763bfb714e5fb2f1ba5512cc4c1c49a0 SHA-1: 1858a2986f5e10b6224cb88c320a3b23d942be6a SHA-256: fd04437c08af9c94ad12dc243b3277d9afff139ae947f3bdc6fce2084d9f9524
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a heuristic firing for PDF_SEO_LINK_FARM, indicating a large number of external links, many of which are to unknown or potentially malicious domains. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or SEO spam. While no scripts were directly extracted, the PDF structure and link farm behavior point towards an attempt to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=pdf+burdah+sekumpul
    • http://ig-verifiedsbadge.com/1020786685s4ljf.pdf
    • http://instapodarok365.site/wewafaxabuzux91om7.pdf
    • https://cdn-cms.f-static.net/uploads/4527042/normal_6024950995b24.pdf
    • https://cdn-cms.f-static.net/uploads/4421957/normal_6015e33e027e6.pdf
    • http://milanomodaitaly.site/todebakejekaf6d3ol.pdf
    • http://kanshoper.site/dalonabinobupenatibogega80bji.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/dewutexorob/bible_bookmarks_to_color.pdf
    • https://ce2645ba-e89a-43d5-afff-5c0150757291.filesusr.com/ugd/c63dba_af66abbcba6d4c3f8f81de786434f066.pdf?index=true
    • https://44407f20-7244-4107-9544-84d8151b6f9a.filesusr.com/ugd/8508de_6c51171a801a4ba2a060ce5345c9499c.pdf?index=true
    • https://s3.amazonaws.com/kakef/vocal_voice_training.pdf
    • https://e97408dc-4b05-4e3b-9f19-f4127feb49ef.filesusr.com/ugd/a42eed_47d6936ffb564ed4a5a9ff79147909a9.pdf?index=true
    • https://081e7fb2-604d-424b-9b75-a58d54a71a44.filesusr.com/ugd/abd6ea_fe84a5435809423a9a96bd4cd54dfc5e.pdf?index=true
    • https://s3.amazonaws.com/sukedil/como_atualizar_chrome_no_android.pdf
    • https://1de4b56a-3309-4767-83a2-f1bb1ea7c594.filesusr.com/ugd/a6e5e9_d0b554fec180439ba84d86b677fb8cd4.pdf?index=true
    • https://s3.amazonaws.com/gulapore/canoga_perkins_9145e-_104_manual.pdf
    • https://s3.amazonaws.com/suxiweke/lateral_amyotrophic_sclerosis_guidelines.pdf
    • https://s3.amazonaws.com/pipaneku/ms_sql_format_date_yyyymmdd.pdf
    • https://a52dd608-e7dd-4d50-8005-e0fd7a3896b4.filesusr.com/ugd/43d2fc_7021c67fa1ca42f0aa17d282925b7fe0.pdf?index=true
    • https://9e77dbea-16d6-438e-9859-4a68c5388828.filesusr.com/ugd/3225da_4bd55ce8f08041babc9d1d159addf67a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00013eb4.bin
db8074d47b4a664003c16ee12f4719c7272fe25fc36e1ea85d1b5d47103954b3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13EB4 29496 bytes
font_00_sfnt_off00010a02.bin
cddc5f125456cbe77e957e5d1ab2d8c8cd1ad7ac55e0332c9ab5c6aa419be923		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A02 5024 bytes
font_01_sfnt_off00011b0d.bin
67c97f1b43b9694efae81f3bb3b75ee318ffce7311f0f692d1eff5fdd6361625		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B0D 10340 bytes
font_03_sfnt_off000173ab.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x173AB 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.