Malicious PDF — malware analysis report

Static analysis result for SHA-256 0179629029bc426b…

MALICIOUS

PDF

80.3 KB Created: 2021-05-21 17:47:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17
MD5: b682c4403d43d230ea72eeab480b7128 SHA-1: 80ef0011b7d8709d8857ae75a5d768e86ea15df7 SHA-256: 0179629029bc426b529b5f0a189b55629c810d0067b8ee387385d1bf79194b8c
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The PDF contains a large number of external links, suggesting a link farm or redirection to malicious sites. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document may be part of a social engineering scheme to trick users into downloading password-protected archives.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vevotudoxis.weebly.com/uploads/1/3/5/3/135313682/3377434.pdf In PDF document text
    • https://gewuvakir.weebly.com/uploads/1/3/4/6/134660990/jaxumexotev.pdfIn PDF document text
    • https://tekoxinir.weebly.com/uploads/1/3/4/6/134606092/togebetewevabog_duxojosip.pdfIn PDF document text
    • https://davufafelasipip.weebly.com/uploads/1/3/4/3/134328138/nogikemeda.pdfIn PDF document text
    • https://tudadakamoziv.weebly.com/uploads/1/3/4/5/134596668/walutepixe.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://feedproxy.google.com/~r/wb/ENAH/~3/_7yJ53orglQ/wb?keyword=tissot%20t%20touch%202PDF link annotation
    • https://uploads.strikinglycdn.com/files/f588558e-4c1d-427c-94aa-198de831dfd0/what_does_the_stick_pin_emoji_mean.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0e5fe5a-0266-4e5e-9772-dee469dce9e6/autocad_tutorials_for_beginners_floor_plan.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b04c6175-d573-4864-8532-84cbe36880df/free_romantic_book_downloads_for_kindle.pdfIn PDF document text
    • https://s3.amazonaws.com/rojalexipokadaz/caliphs_of_islam.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa35adad-d504-487e-a14d-51320d8149ff/jodukekaxupasigiv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/706bd44a-eadd-4ee5-b1cd-0f04ccf006fd/30980207978.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a8f3ebfd-229f-4d2f-a5c9-23e9a0d60445/devil_take_the_hindmost_lyrics_2018.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ef2ea237-98fb-4da7-a91f-7303a566e37e/25144304032.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1fa72fca-cebf-4cc5-84f4-024b1f097ee9/80844710688.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b7975c57-1ac2-4ffb-b84a-b09e806221b8/wufamudezometikixamoxupan.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1522211f-0379-4ddd-8f9e-425cfa1a3fa0/walgreens_ultrasonic_humidifier_2065_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ce867ea-44dc-4f75-af63-464db24d1a35/80129131507.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0eb71310-717e-4264-a117-3bfcf01428ef/petomudawuro.pdfIn PDF document text
    • https://s3.amazonaws.com/vaxebisapesi/nozexaguroviliraj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bbdb6ee2-c4fb-4115-bc22-0189ce5e787a/zifeguvigix.pdfIn PDF document text
    • https://s3.amazonaws.com/mipizaju/que_es_auditoria_fiscal.pdfIn PDF document text
    • https://s3.amazonaws.com/rogugagatuf/can_i_go_to_a_shooting_range_without_a_license.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3d1a87e4-8def-4e3b-911f-8a08de498766/94103018674.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/953d27e0-c621-4a53-ab89-0623b8c4ec31/saviwu.pdfIn PDF document text
    • https://s3.amazonaws.com/zowibatev/fender_precision_bass_serial_number_guide.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd62.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD62 4632 bytes
SHA-256: df59b4e6cf54fd68b9a25011f878967c2c02ad6fc8bae714b1a164805b850435
font_01_sfnt_off00010d29.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D29 11508 bytes
SHA-256: 0dcc45acfe041ecb79d72690c944196a838ff5181fc49373c13df66b83a2ba9a