Malicious PDF — malware analysis report

Static analysis result for SHA-256 08e7e719fb1fc9d1…

MALICIOUS

PDF

84.1 KB Created: 2021-05-26 04:23:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c6c0f9dd124c6744efdb07e89b211842 SHA-1: f0dfad4eb8d6a89985f4ee8c2830052cc41f7bbb SHA-256: 08e7e719fb1fc9d154d3c27a3466089803e569980e8ba6824a4ad23a80475e0b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by a machine learning classifier and ClamAV, specifically as a phishing trojan. The primary attack pattern involves a large number of embedded external links, suggesting a link farm or distribution mechanism. While no scripts were explicitly extracted, the PDF structure and heuristic firings indicate malicious intent, likely related to phishing or malware distribution via the numerous URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=can+could+may+might+should+ought+to
    • https://cdn-cms.f-static.net/uploads/4421983/normal_605cd90d62643.pdf
    • https://pebezudaxefen.weebly.com/uploads/1/3/4/3/134347708/182473.pdf
    • https://kubimivigiv.weebly.com/uploads/1/3/4/3/134314132/masifetoka.pdf
    • https://static.s123-cdn-static.com/uploads/4413455/normal_5fec58bae60b8.pdf
    • https://rowigoto.weebly.com/uploads/1/3/0/8/130813427/4735907.pdf
    • https://cdn-cms.f-static.net/uploads/4420245/normal_5fd2201780f77.pdf
    • https://zavebunerug.weebly.com/uploads/1/3/4/3/134358754/9731547.pdf
    • https://cdn-cms.f-static.net/uploads/4463006/normal_6068811bdb1b0.pdf
    • https://ragulifogikub.weebly.com/uploads/1/3/3/9/133986704/bimajiwipew.pdf
    • https://cdn-cms.f-static.net/uploads/4459164/normal_6012e3fc809f8.pdf
    • https://cdn-cms.f-static.net/uploads/4491414/normal_600aaccf54211.pdf
    • https://rikisefunem.weebly.com/uploads/1/3/5/3/135337995/3845625.pdf
    • https://cdn-cms.f-static.net/uploads/4446026/normal_604d96b3ab223.pdf
    • https://wujadadi.weebly.com/uploads/1/3/1/0/131070572/topevomasimu-rasitomaxeda-dujijenexom-liririnixol.pdf
    • https://pulivaxudifosaj.weebly.com/uploads/1/3/4/2/134235984/dukapox-suzujisimoxov-mitudutikewaf.pdf
    • https://cdn-cms.f-static.net/uploads/4419818/normal_601571a857c04.pdf
    • https://pukakiliratof.weebly.com/uploads/1/3/4/7/134768090/75f8d9b7.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9461f7d1-54ec-4f49-b454-bc8a59cfbe98/geico_marketing_plan.pdf
    • https://uploads.strikinglycdn.com/files/a2b7ccfb-fa06-4492-aa83-1fabc294a86e/fadaruguxe.pdf
    • https://uploads.strikinglycdn.com/files/d4f68ad7-371b-4d24-b7eb-83e59eb7233b/45292621260.pdf
    • https://uploads.strikinglycdn.com/files/eed5829f-d817-4577-82ec-477f692978f1/44991660794.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6d7.bin
4d3fb6748bdbfc0676bbc246a341b567ec3707c335db72ae26270b639488ab50		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6D7 1684 bytes
font_01_sfnt_off0000ff3b.bin
57d4fb1dc20ce17bb42831bd735bc881889695af1f5b1cf042e0fd7237daf879		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF3B 5264 bytes
font_02_sfnt_off000110fd.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110FD 1800 bytes
font_03_sfnt_off0001198a.bin
0d505dec3bd0b5854efa401d34a8d28c9c451cf4438f96311a77fea13d2d2d0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1198A 13404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.