Malicious PDF — malware analysis report

Static analysis result for SHA-256 06b67e1fa4e1f678…

MALICIOUS

PDF

87.5 KB Created: 2021-03-29 12:36:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bfd7c7069e9fa7bc7d64ae66b9ec29ca SHA-1: 3a8464b119c0b75600dc567850ace9b2db5190ed SHA-256: 06b67e1fa4e1f678a5bdaa281d2ae79376d68721075f6db69ad8173316777f98
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical detection for a link farm and a high ML score. The PDF contains numerous external links, with one pointing to a suspicious domain, suggesting a phishing or SEO manipulation attempt. The presence of embedded JavaScript, though not directly analyzed for specific actions, is a common vector for malicious PDF exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=bromatologia+de+los+alimentos+libros+pdf
    • https://cdn.sqhk.co/kufagilan/fgjhchj/tiny_dungeon_2e_download_free.pdf
    • http://50offit.pro/69965933369820np.pdf
    • https://cdn.sqhk.co/vorebilifi/hhhMicK/69714072652.pdf
    • http://tokigarodam.22web.org/craftsman_13.5_hp_riding_mower_42.pdf
    • http://wide-mean.top/swami_sarvagananda_free_mp3_downloadribj9.pdf
    • http://max-lifting.store/lake_superior_fishing_report_2018lckd7.pdf
    • https://cdn.sqhk.co/sejixikerut/jbWibq1/komiguzosolagokenirofav.pdf
    • http://podcard2020.site/ford_tractor_repair_shops_near_melfv6t.pdf
    • http://handler-autoscout24.com/konibosevovozonubot07kb.pdf
    • http://samiter.22web.org/90964106795.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/fa4ed448-768a-441d-be01-cd9bee0d9a94/viduzukazo.pdf
    • https://uploads.strikinglycdn.com/files/30acb378-ea21-4885-ba0f-6249811748ad/is_hp_and_the_cursed_child_going_to_be_a_movie.pdf
    • https://uploads.strikinglycdn.com/files/40c2ae3b-ee77-477c-a3f2-1237955a61fa/is_there_any_free_movie_apps_for_iphone.pdf
    • https://uploads.strikinglycdn.com/files/c29b7d62-14f5-4c85-ad02-a5b91978d647/50138985933.pdf
    • https://uploads.strikinglycdn.com/files/a43b3851-6bb4-48fe-80f4-69143d52f366/58316299266.pdf
    • https://a3720f92-bdaa-4449-a3ff-14f36884d2d5.filesusr.com/ugd/afadc3_49ff92e3013c4d8092cd574cac46ea5b.pdf?index=true
    • https://76df98a8-3e94-4eee-a6f5-23e1de06049b.filesusr.com/ugd/54c74c_072b310076ce45f190bbed6f42619b0d.pdf?index=true
    • http://getojigukas.epizy.com/cdn_cloudflare_jspdf.pdf
    • https://uploads.strikinglycdn.com/files/b61ecf81-7a99-4e6a-9c2e-a3c2c9f7221b/vazibokubetijo.pdf
    • https://uploads.strikinglycdn.com/files/00e64d3a-3f8f-4e35-85ac-7ea9b13726ac/unlock_sennheiser_ew100_g3_receiver.pdf
    • https://0029a690-d003-4268-bdc7-e74daa5a0415.filesusr.com/ugd/a4b355_2c9bcbad55e1465a92eac30469565530.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dfb149a2-49ff-485c-a212-fafa8448de01/flowers_of_algernon_summary_template.pdf
    • https://uploads.strikinglycdn.com/files/8a0114de-54f6-427e-af5e-285074c032e7/60727820854.pdf
    • https://7162416e-a815-4e2e-b4b4-2f1b6d3d7a1b.filesusr.com/ugd/0723a7_d9dac07faea843a3b383f60ed51b67c4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101a8.bin
9748d1eb80c4d5ded3220dd3bd899883890545d80f8683b081200572ab9476a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101A8 5552 bytes
font_01_sfnt_off0001146b.bin
437bb3a6d0698e1e5d588d95b58a200b85d2a8ab9947fa668086bb29980ab409		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1146B 10660 bytes
font_02_sfnt_off000138e2.bin
e93acd332f5893643511f4cefd38969ad5c744ad1b08842a788b6be7d277dd15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x138E2 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.