Malicious PDF — malware analysis report

Static analysis result for SHA-256 fec5b054f39279dc…

MALICIOUS

PDF

93.5 KB Created: 2021-04-06 00:54:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d3d5dac1b08f3865650437cd4b176da1 SHA-1: 73708b854cdf2bea432cfa24d788739bba904b46 SHA-256: fec5b054f39279dc5cc75a5b68f101f6431ac8e8c1b50eb717398561eb64028e
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by a machine learning classifier and ClamAV. It contains a large number of external links, indicating a link farm designed to direct users to potentially malicious or SEO-manipulated content. The presence of embedded URLs and the overall structure suggest an attempt to exploit user curiosity or search engine optimization tactics for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=cyberpunk+2077+release+date+ps5+pre+order
    • https://pozosukezogi.weebly.com/uploads/1/3/4/3/134386022/mitugedoje_kivojuwivor.pdf
    • https://fifofisepag.weebly.com/uploads/1/3/5/9/135985139/0bd46bf32b1517.pdf
    • http://latejugo.22web.org/lomex.pdf
    • https://tudegikugil.weebly.com/uploads/1/3/5/3/135317618/bewadoponagosi-refuw-vizarerezomafub-delasaligi.pdf
    • http://kevifiregerufug.scienceontheweb.net/what_are_some_fun_video_games_to_play.pdf
    • https://nefolebar.weebly.com/uploads/1/3/4/4/134400051/9085714.pdf
    • http://vibolofisef.mywebcommunity.org/firefly_promo_code_2020_reddit.pdf
    • http://tuzirawejaw.mypressonline.com/improving_reading_skills_for_ielts.pdf
    • http://tofogabe.iblogger.org/vezodunulelewinuxu.pdf
    • https://tonikajolokoge.weebly.com/uploads/1/3/0/8/130874266/dagup-kigonewibawovag.pdf
    • http://kufejat.sportsontheweb.net/83110346804.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ea93ddf9-0200-42a5-8524-e125463b4579/65125180673.pdf
    • https://1a6c606f-1efd-495f-9370-57f425d809fd.filesusr.com/ugd/1be480_b4447ae489ee466eba5b1537bbf5976e.pdf?index=true
    • http://refufigatuzar.epizy.com/congregational_form_of_church_government.pdf
    • http://pufaperimixalet.epizy.com/indices_gcse_worksheet.pdf
    • http://lipeporo.onlinewebshop.net/nalasofuzizefamob.pdf
    • https://ce322291-b3da-4cc2-ae0f-523e25daec44.filesusr.com/ugd/4530da_959eeda6e9064c3bb020824df6041c46.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5e1a01b0-4eea-404d-b0f2-9ee112f9a964/9944173531.pdf
    • http://sozazibelafi.rf.gd/72148785771.pdf
    • http://lutodize.epizy.com/ragamuv.pdf
    • http://tafinefonekon.rf.gd/body_systems_and_functions.pdf
    • http://fositelorefux.epizy.com/tuligotiv.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011bf4.bin
f106a1cc7703e4abfa43c0f5d351f2be7c974f98cd82a017c5f5f8f04aae9106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BF4 5644 bytes
font_01_sfnt_off00012f42.bin
439bc47c73ae074025474e231a70b85c9eb867aee14534dbeefc47da29a04fc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F42 17704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.