Malicious PDF — malware analysis report

Static analysis result for SHA-256 0915e7a10d0cc24b…

MALICIOUS

PDF

76.8 KB Created: 2021-03-18 20:51:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fc4ce43bab03bbff74b99652306d4d6c SHA-1: 4ba69404acf8a8ea494fa4e798a49b37956def50 SHA-256: 0915e7a10d0cc24bff449fc1a75e2b52adda3668a77968bf29f463234daa882f
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are SEO-optimized, suggesting a link farm or phishing attempt. The presence of a 'download button' heuristic further supports a malicious intent to trick users into downloading potentially harmful content. ClamAV detection and ML classification confirm the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=amar+asom+newspaper+pdf
    • https://vepodiruwa.weebly.com/uploads/1/3/4/3/134374194/a0df0c10.pdf
    • https://jarajegixam.weebly.com/uploads/1/3/1/4/131437089/4167690.pdf
    • https://wivixovipi.weebly.com/uploads/1/3/4/4/134442696/kibasojamuzotut_toxezis.pdf
    • https://cdn.sqhk.co/pevizopubok/ujjgc1s/minetest_mods_installieren_deutsch.pdf
    • https://cdn.sqhk.co/sabiwizi/55ijAQi/canons_of_taxation_by_adam_smith.pdf
    • https://nebobaxewakizix.weebly.com/uploads/1/3/1/6/131637309/947358a2b5a730.pdf
    • https://gawakugoful.weebly.com/uploads/1/3/4/7/134757428/9db600fad2db.pdf
    • https://damujulul.weebly.com/uploads/1/3/5/3/135335913/jalomopagivibij.pdf
    • https://siwukomeje.weebly.com/uploads/1/3/1/3/131383380/goperivekitugaxese.pdf
    • https://buparemekixa.weebly.com/uploads/1/3/0/7/130739227/4361116b.pdf
    • https://letuwolisabir.weebly.com/uploads/1/3/4/6/134602086/1533135.pdf
    • https://cdn.sqhk.co/vanewano/8DFXief/gothic_dress_up_games_free_online.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://081e7fb2-604d-424b-9b75-a58d54a71a44.filesusr.com/ugd/abd6ea_4c93efeb154540358be593a4cfa7557d.pdf?index=true
    • https://fbaba6ab-37cf-477f-82bd-e10a416eccda.filesusr.com/ugd/3c8574_5a8910dc1f9e42e3a485503da11044e1.pdf?index=true
    • https://f6e2a16f-d004-42cd-8f17-0463e090774c.filesusr.com/ugd/c70c35_40384517ead447c9a90e8a4abe3c953a.pdf?index=true
    • https://s3.amazonaws.com/pazovugal/interrelationship_digraph_template.pdf
    • https://uploads.strikinglycdn.com/files/da19244e-9e9e-4a68-94cc-4f6ad079dc89/85099733281.pdf
    • https://uploads.strikinglycdn.com/files/e046c8c9-352e-4eb6-982d-520c52c7a87b/setotin.pdf
    • https://s3.amazonaws.com/wezukep/all_minister_of_india_file.pdf
    • https://uploads.strikinglycdn.com/files/a2af9dd3-97a6-4d9a-905d-5a1f3b7c1dad/harry_potter_deathly_hallows_part_2_full_cast.pdf
    • https://uploads.strikinglycdn.com/files/d5f0681e-9564-4e2e-a489-bd645919f1e3/bojusefemibudu.pdf
    • https://s3.amazonaws.com/jusuberu/minecraft_free_for_pc_apunkagames.pdf
    • https://2e81f42f-67f9-46a9-89e2-a5f3ab3b03ee.filesusr.com/ugd/f138f5_8b422ecd1768452f94194157652c403f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9af5d640-24d7-4c21-957b-49454f488d68/this_is_where_it_ends.pdf
    • https://s3.amazonaws.com/lezopobigeza/bavabatapexavazujeguzudip.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e065.bin
ce2e5b7c86529e47d070a4dccf145cef5a9bbd3c68b33332b11d972cf4dc9e4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE065 5236 bytes
font_01_sfnt_off0000f22c.bin
da7746bb6a62a664fcd3f4f852d3e00fa0e4f9810e5626fa6120b69f2e7f01fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF22C 4592 bytes
font_02_sfnt_off00010073.bin
e9173873385ba190949104be1fddc4a7df732696533f2f329bb0cbe9646a3c09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10073 10784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.