Malicious PDF — malware analysis report

Static analysis result for SHA-256 00463cbdff82f875…

MALICIOUS

PDF

83.4 KB Created: 2021-04-05 05:23:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7e528a2ced8f7a6ce9e9dd516a20c898 SHA-1: 3ce262e2909e87e30b38ce9ee4ee7fa75bf5ffaa SHA-256: 00463cbdff82f87557b9ca7cb5e050cfcd68a3fb51aa505799e741a03c339648
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDFs hosted on file-sharing services. The primary URL suggests a lure to download a modified application. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=download+critical+ops+mod+apk+new+version
    • https://vaxeratomox.weebly.com/uploads/1/3/4/3/134397216/1ee16cc77a3.pdf
    • https://mubikobilowopo.weebly.com/uploads/1/3/0/9/130969089/9944086fdc8.pdf
    • https://guditeni.weebly.com/uploads/1/3/4/5/134529862/birolezun_jorexujaluf.pdf
    • https://cdn-cms.f-static.net/uploads/4495974/normal_604d000938cbe.pdf
    • https://static.s123-cdn-static.com/uploads/4455898/normal_5ff2b96c9e21b.pdf
    • https://cdn-cms.f-static.net/uploads/4485718/normal_6037b98c9c8f9.pdf
    • https://static.s123-cdn-static.com/uploads/4457876/normal_5fc6d303ac7bf.pdf
    • https://cdn-cms.f-static.net/uploads/4486368/normal_5fea196f66175.pdf
    • https://cdn-cms.f-static.net/uploads/4459318/normal_606a12c873034.pdf
    • https://static.s123-cdn-static.com/uploads/4473954/normal_5ff08d24c49b0.pdf
    • https://soguleta.weebly.com/uploads/1/3/4/3/134305846/pewufebupixurug.pdf
    • https://cdn-cms.f-static.net/uploads/4496597/normal_604ce5b273844.pdf
    • https://cdn-cms.f-static.net/uploads/4366989/normal_605036e99bbf6.pdf
    • http://wivejudotimog.22web.org/front_office_assistant_interview_questions_and_answers.pdf
    • https://static.s123-cdn-static.com/uploads/4377112/normal_6000a0378ab63.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://3568c1c9-c281-4b9a-9ea9-d5d291e0176b.filesusr.com/ugd/e5d8db_88408f77045e46a1b6f1158e7712528c.pdf?index=true
    • https://30dce114-5b7d-4ba4-aa44-e083516804ec.filesusr.com/ugd/7de0fd_0cfb8924db8048f28c5514ba997164ec.pdf?index=true
    • https://13dbc848-c95e-4197-a439-3ae2050b6ee2.filesusr.com/ugd/46bbe5_9ab7971cd34a4b0cb55405eb22c692fc.pdf?index=true
    • https://2ad55d82-15d9-4995-b72c-f03dca93b5f4.filesusr.com/ugd/11b7eb_2948b325ca234b2faa1b974e8cf395de.pdf?index=true
    • https://9e2901ea-5d25-41a5-867c-54d0774c6e48.filesusr.com/ugd/4d0f37_886b59253d294905ae2703cf5f09056c.pdf?index=true
    • https://98cdd5c5-c43e-49eb-9373-39517e896cbb.filesusr.com/ugd/90661f_3b3b62cccd034a86abd3e52f8d26f478.pdf?index=true
    • http://veramok.rf.gd/94000959493.pdf
    • http://napizexem.rf.gd/oxford_discover_science_3.pdf
    • https://20e8ec16-a7ca-487e-906f-4b2d5c2744e2.filesusr.com/ugd/ab81b8_c2a9308dacaa4827bdbad3fb2aa7bbb3.pdf?index=true
    • https://c216880a-03a2-4774-ab7e-121c93799e8f.filesusr.com/ugd/b5aed9_17e59b532f214973b19114b2801f288a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9ce.bin
927656a62bdaab07559d047b3f3d1bd74c1485700a6fdc7dad426c54046f6e14		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9CE 5432 bytes
font_01_sfnt_off00010c55.bin
45a1c78cc1338c195a466c0a1d168f6be035ebccf6688bb346873612d895f247		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C55 15764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.