Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a666aa3912f8fdc…

MALICIOUS

PDF

83.7 KB Created: 2021-04-07 21:50:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9e0ff54f4ac0e3273e5ec78eba6c6fee SHA-1: dd3f4d5cb5793c9bd07ddf8eac2a91c5f9c04178 SHA-256: 0a666aa3912f8fdc8863bf62ee3babe59b47f61be5df3339f52c83f4032aa8a0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of external links, many of which appear to be part of a link farm designed to improve search engine rankings, suggesting a phishing or malware distribution scheme. The document's content and structure strongly indicate it is intended to deceive users into clicking malicious links or downloading further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=sample+affidavit+of+bona+fide+marriage+letter+for+immigration+pdf
    • https://torudedo.weebly.com/uploads/1/3/4/3/134352944/mabawu.pdf
    • http://mon-cmbretagne.com/aimbot_apk_critical_ops63gmy.pdf
    • http://metaleagle.ru/67320040596shn70.pdf
    • https://cdn.sqhk.co/kixobaza/bhi4VZd/blockman_go_hack_download_android.pdf
    • https://fekebejoluxoji.weebly.com/uploads/1/3/4/3/134309121/vuzekum.pdf
    • https://cdn.sqhk.co/jujadiziga/jjd7Fgf/mirosoxuzo.pdf
    • https://bisigibibozika.weebly.com/uploads/1/3/4/4/134438783/jitiwibamakefoveside.pdf
    • https://cdn.sqhk.co/bokupajokim/MHia6ih/mino_monsters_2_evolution_download.pdf
    • http://characduwe.space/106546913225yqeh.pdf
    • https://cdn.sqhk.co/xafiguzi/pHEiiET/zolawagubekuxejuwemame.pdf
    • http://fastpeysistem.online/wagaruxalirojajufel0zdh.pdf
    • https://vapulorefemefiz.weebly.com/uploads/1/3/5/9/135956910/bf0eb98484fe7.pdf
    • https://cdn.sqhk.co/zodozane/Fb0jjIN/67552476818.pdf
    • https://cdn.sqhk.co/mewovegid/ylCkhbg/bivunupomabo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4e4608fd-868e-43f5-b6ba-14e5e4b50785.filesusr.com/ugd/b1f235_5b1ef8edc67f4b49b76765e4f8347ed6.pdf?index=true
    • https://c6926203-1eb9-401e-9afa-11f61f201807.filesusr.com/ugd/685707_e59e1cd08e2d421ab9a6c1c18b190e0c.pdf?index=true
    • https://299bc67c-4c9a-44ea-852c-18f2d39dca40.filesusr.com/ugd/954c8b_d21d9b5004b24b83ad406f2aaa28c0f1.pdf?index=true
    • https://1fd079ea-3156-4ae8-a0b4-6153e0b529c5.filesusr.com/ugd/e66bf7_288a47b19baf4ab8a2947992114069ec.pdf?index=true
    • https://09ec9d85-9312-4337-94d0-b84080e05f2e.filesusr.com/ugd/ac0094_10e605b8a6334706b8ef9a47ec74c3f3.pdf?index=true
    • https://eadb47d6-6712-4ecd-aa5a-2cdcf2d90b86.filesusr.com/ugd/c844bf_788815711df3423c8c1d36436dac3b12.pdf?index=true
    • https://06ebba1c-c738-45d4-b58d-83edbdcc9420.filesusr.com/ugd/b14caa_9840424c6c7241448103bff0e4530dcf.pdf?index=true
    • https://6c036dbd-b327-4678-b778-de8a2ee7bb50.filesusr.com/ugd/ed64d2_c24a393b728a4fc1a14e5c5b8aa91842.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000107d5.bin
6a2b08386b58471780f20b877d343a3b5672ddcada2ba4e4c5fe1965a3939f47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107D5 5488 bytes
font_01_sfnt_off00011a6c.bin
dff7c84c02c5c3f558dd42cb22e3ab45b944e898ad13bbd60d71a6919f79f8b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A6C 10676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.