Malicious PDF — malware analysis report

Static analysis result for SHA-256 09d5634515eb0a4c…

MALICIOUS

PDF

78.0 KB Created: 2021-04-03 03:26:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f038e34edd02bf96685fccdad8857532 SHA-1: 5c156d2de6f087dbf79b571242fb3e0a57df193c SHA-256: 09d5634515eb0a4cfd727e865a15abec385bae48fbf7289cb637f86f48bc22f5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to unknown or potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and heuristic firings point towards a malicious document designed to lead users to external malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=my+ge+dryer+makes+a+loud+squealing+noise
    • http://sepoxudozixo.sportsontheweb.net/jujutivonilixivetarexe.pdf
    • https://cdn.sqhk.co/zipirevofu/EjhWqru/xaguguwuremududasonuga.pdf
    • http://dimozakebaba.scienceontheweb.net/34709427841.pdf
    • http://pifemukopisare.sportsontheweb.net/apple_watch_4_user_guide.pdf
    • https://cdn.sqhk.co/mavozopofug/iigiceh/98380661287.pdf
    • https://vunukufe.weebly.com/uploads/1/3/4/6/134640969/8388931.pdf
    • https://cdn.sqhk.co/malevevipali/ijcgdAH/the_cw_all_american_season_3.pdf
    • http://lobutojumakix.22web.org/data_warehousing_fundamentals_by_paulraj_ponniah_solution_manual_free_download.pdf
    • https://cdn.sqhk.co/pigevikuwi/fge9Mha/felibu.pdf
    • https://bidiruvinevuf.weebly.com/uploads/1/3/1/3/131379477/tijozo.pdf
    • http://agent-spv.space/gojogisotevepadobopudiim6ff.pdf
    • https://kerawidirara.weebly.com/uploads/1/3/4/7/134746453/2868403.pdf
    • https://zesaxigupube.weebly.com/uploads/1/3/4/0/134016892/bigugupetewojo.pdf
    • https://cdn.sqhk.co/vilubofi/cYSjghf/fovapasomuvilafujifasod.pdf
    • http://lnstagramverifiedbadgeshelpcenters.net/vowelogufetegetubumom607wl.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c4e42e93-254c-4ba8-b495-737f84002742.filesusr.com/ugd/ddb60a_48bf08dfd9a04edda0172fda66e2a2d6.pdf?index=true
    • http://gidigeja.rf.gd/corporate_donation_request_letter_template.pdf
    • http://nixipujulonitin.epizy.com/julifixufikulafalelipibok.pdf
    • https://992bddda-184d-467f-a815-0165b41a2208.filesusr.com/ugd/69695d_075a28a3b8c34d6ea90cf35d75fcf899.pdf?index=true
    • http://risasuwoz.epizy.com/how_to_refill_epson_cartridges.pdf
    • http://bivojeda.atwebpages.com/how_to_check_login_on_facebook.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4b3.bin
70ee197e9d6b5cb45d0d363ae433e8810ace932de35aac6c5feb2817f1f33b1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4B3 5444 bytes
font_01_sfnt_off00010730.bin
4fd4c85224bcc2b25fb55840b04735b546e28a5768a04c68ef248c2ba78600a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10730 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.