Malicious PDF — malware analysis report

Static analysis result for SHA-256 012e9e8208fe0a95…

MALICIOUS

PDF

111.8 KB Created: 2021-03-24 02:13:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b10e3a217adfbeb34dc5af0c46b4d930 SHA-1: 4542172abb988049f7acc4b7cac89b3953a626e4 SHA-256: 012e9e8208fe0a956341b68ff7d17feb3843c5a98f441d98b6778dce8dd7803a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, a technique often used for SEO poisoning or phishing campaigns. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded links suggest an attempt to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=fort+benning+sand+hill+gate+address
    • http://lnstagram-office.com/galaxy_watch_active_2_blood_pressure_ukjhbq9.pdf
    • http://siankaanmexico.com/how_to_make_a_knife_sheath_without_leathertu3tn.pdf
    • https://cdn.sqhk.co/kavuweduti/gaHPKhf/google_spreadsheet_filter_not_working.pdf
    • https://gaxiliwila.weebly.com/uploads/1/3/1/3/131383945/3de387ebc9532d6.pdf
    • https://cdn.sqhk.co/posogamumut/giZsZlf/boxing_star_apk_mod_2._1._3.pdf
    • http://promooffer.site/26592099972cv7k0.pdf
    • https://lufosafol.weebly.com/uploads/1/3/0/7/130775677/jokidevo.pdf
    • http://jevafurevozu.mygamesonline.org/86030738668.pdf
    • https://cdn.sqhk.co/wojinagimepu/ihiaBEK/kavokitaro.pdf
    • http://feyakast.online/998919548292p47.pdf
    • https://pekijazezob.weebly.com/uploads/1/3/1/4/131407278/bedekonulugarutefeno.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/b8995a13-4dfb-4719-b507-d12ea4c15c01/interior_design_apps_free_singapore.pdf
    • https://uploads.strikinglycdn.com/files/1c58bcf3-6267-4a1e-984b-2e74f53eb39a/how_to_heat_up_maggianos_lasagna.pdf
    • https://uploads.strikinglycdn.com/files/9daf8ae8-f514-45f7-888b-358b2dfc1ae4/15199827808.pdf
    • http://fukuselumetu.myartsonline.com/gerudegukadus.pdf
    • https://uploads.strikinglycdn.com/files/3c1bf120-514a-49d5-9a1d-5b1b6e5cd050/how_to_write_an_evaluation_essay_on_a_movie.pdf
    • https://uploads.strikinglycdn.com/files/5d23e24d-f554-4f4c-83cc-d29617c0a67b/tabonekopefebumipijigeg.pdf
    • https://uploads.strikinglycdn.com/files/48c9d7c4-5db3-4efe-98f4-67ae4925eaf6/76918818540.pdf
    • https://uploads.strikinglycdn.com/files/0e1be39b-5d28-48fa-afda-39dc16ed4e49/80303129711.pdf
    • http://fixidil.atwebpages.com/21589207939.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014298.bin
2eb2d981c4075b0842139196fa164021a983bae07797ed7e8f7440beb154c7a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14298 4972 bytes
font_01_sfnt_off0001536a.bin
c858df80e9eda258b9315ea3cbd12405f70d652c1f75e838319c15eaab0fbd31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1536A 2144 bytes
font_02_sfnt_off00015d47.bin
89e3e96a75f4d8886d5320a168c660ab4ca4627a1855d04e38996dd4585b7da1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15D47 13512 bytes
font_03_sfnt_off00018ad5.bin
2ab73670bc1ad969a398e377a1592e437ad097a8f81d86a28e2d7e89adb34759		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18AD5 17104 bytes
font_04_sfnt_off0001a2f6.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A2F6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.