Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff1269baa9ec5b57…

MALICIOUS

PDF

112.1 KB Created: 2021-06-01 07:38:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 374b69dca4d78bb0d759de9630aad0a1 SHA-1: 77cf631099d2363bf112afbcbfb4500a77f74b32 SHA-256: ff1269baa9ec5b578b46d166e365203e99955e83cecbcc78f34a0967db655b22
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, with one heuristic specifically identifying it as a 'PDF_SEO_LINK_FARM'. While the document body suggests a Minecraft guide, the sheer volume of links and the presence of a potentially malicious URL (laborke.ru) indicate a deceptive purpose, likely for SEO manipulation or to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/pbw?utm_term=how+to+make+a+creeper+farm+in+minecraft+1.16
    • https://dinufipaxa.weebly.com/uploads/1/3/4/4/134440308/wamuziba.pdf
    • https://rabinuzigiv.weebly.com/uploads/1/3/4/7/134737829/ludenizukoxeba.pdf
    • https://suxuwimuwudex.weebly.com/uploads/1/3/4/6/134641155/tipilalok-lologe.pdf
    • https://wanalupegekiful.weebly.com/uploads/1/3/4/8/134879682/soluko_xawolotavabiwa_jagura.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9361c776-f8f8-4954-bb88-055feeed79fc/fenokuzikotugawefa.pdf
    • https://uploads.strikinglycdn.com/files/8574d34c-b4a2-4ebe-b1fa-1725dd0c2f60/republic_of_doyle_season_5_episode_2_cast.pdf
    • http://kedetuwi.pbworks.com/w/file/fetch/144413241/the_power_of_critical_thinking_5th_canadian_edition_ebook.pdf
    • https://uploads.strikinglycdn.com/files/c5cbca42-7c6c-4ca1-b22a-22f0e88fd53f/its_a_wonderful_day_gif.pdf
    • https://uploads.strikinglycdn.com/files/cd1b3f35-5448-4c20-b393-c2d7c92cd446/shadows_of_brimstone_forbidden_fortress_character_sheet.pdf
    • https://uploads.strikinglycdn.com/files/e394e720-e7f6-415c-99b5-8e59db5de8ae/relinituvokunamuveve.pdf
    • http://xujefix.pbworks.com/w/file/fetch/144422943/free_robux_redeem_card_codes_2021.pdf
    • https://uploads.strikinglycdn.com/files/5ec20aa2-5ea9-452d-9e5b-61aeaefc754e/can_you_get_cosmetic_surgery_if_you_have_high_blood_pressure.pdf
    • https://uploads.strikinglycdn.com/files/ee08976c-89eb-4344-9a56-7c2891c9944c/what_is_another_word_for_first.pdf
    • https://uploads.strikinglycdn.com/files/e30c8a55-f8b6-49fd-a57a-e8b38faa3de4/29805248878.pdf
    • http://fotikeralo.pbworks.com/w/file/fetch/144446421/gizudusovijufepubin.pdf
    • https://uploads.strikinglycdn.com/files/542c6c16-1c6a-48e9-a3f3-263e490b0b5f/kijixugasuzen.pdf
    • https://uploads.strikinglycdn.com/files/db64e37e-7524-4a3e-8f02-002ff0ef7c88/xegojix.pdf
    • https://uploads.strikinglycdn.com/files/55a50288-c9f4-432c-a696-a65ce83fc385/how_to_turn_off_descaling_mode_nespresso_vertuoline.pdf
    • http://mapijakemifo.pbworks.com/w/file/fetch/144442083/to_kill_a_mockingbird_discussion_questions_quizlet.pdf
    • http://zekodunu.pbworks.com/f/granny_outwitt_mod_apk_1.7_3_download_1.6_1.pdf
    • http://jajisaparev.pbworks.com/f/changes_in_the_demand_and_supply_of_gasoline_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/0ecd1efb-3f38-42fa-82d6-5ebfcfa87174/bekojopurirozosozomufaz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014ec1.bin
1b796266574774d83d99b8e97c9df82c7233c15d2017d4b623a82a414f5ddac7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14EC1 5304 bytes
font_01_sfnt_off000160cf.bin
2d697cc7f0253bb6ab9bb0cc4fb88f113a8671a22bd5b98f8e9bc0fb9f2c4570		 pdf-font-stream PDF embedded font (sfnt) at offset 0x160CF 4268 bytes
font_02_sfnt_off00017153.bin
51ce4636eea16220ab622b4dc37e43be8f8fbf3a3cd019a5441bbde978611698		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17153 12968 bytes
font_03_sfnt_off00019c48.bin
73bb1f519e29941fc98367ae33a8b679223d41029fbf73fb5c585da9ec8c2502		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19C48 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.