Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e77ddca136f3cf3…

MALICIOUS

PDF

80.6 KB Created: 2021-03-30 03:07:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3fc0a0fe1eded7edf4575e7305541a4a SHA-1: d49f9ee22a92f6b0ef4cbfdc6b01ce6f376b7c0c SHA-256: 0e77ddca136f3cf3cb215a0da8b3abe72b221d3c817aa210cfd324ed3f13c3a0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, indicative of a link farm or phishing attempt, as flagged by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a malicious document designed to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=free+chicken+coop+building+plans+pdf
    • http://benevesegok.iblogger.org/17242741057.pdf
    • https://rudoliretumuw.weebly.com/uploads/1/3/4/8/134861944/giketujopabiwe.pdf
    • https://koreperuk.weebly.com/uploads/1/3/2/6/132680900/b2451d4.pdf
    • https://cdn.sqhk.co/fumamimed/bLjghgg/raceroom_racing_experience_vrp_code.pdf
    • https://sukorason.weebly.com/uploads/1/3/4/5/134578332/xixuwubure.pdf
    • https://cdn.sqhk.co/jawafurovif/aSJhbhc/kiruvamojipokiwixeloje.pdf
    • https://gugagefa.weebly.com/uploads/1/3/4/3/134343265/xajiverikesare.pdf
    • https://cdn.sqhk.co/wedowetaso/irgeghj/total_conquest_hack_app_download.pdf
    • https://teduruperalugo.weebly.com/uploads/1/3/4/3/134320262/1840462.pdf
    • https://cdn.sqhk.co/duxadikoti/jbpgjji/cake_icing_design_names.pdf
    • https://gorofegi.weebly.com/uploads/1/3/4/4/134462705/3316396.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2a4c341d-9af7-4f89-b48a-1b926ad6ced7.filesusr.com/ugd/dd6616_d809975ed7a84941bb440c872f635218.pdf?index=true
    • https://s3.amazonaws.com/kubafezin/gevuvakowibap.pdf
    • https://s3.amazonaws.com/bokofapig/abbaigaru_mp4_video_songs.pdf
    • https://s3.amazonaws.com/kujapomib/11733556544.pdf
    • https://s3.amazonaws.com/bokelur/pugumosunat.pdf
    • http://jijabivu.epizy.com/formica_sheets_for_table_tops.pdf
    • https://s3.amazonaws.com/pubopelej/ruwukatevajomuxupabe.pdf
    • https://c1ab63b4-4781-4901-abeb-f581ed41d26f.filesusr.com/ugd/b44917_40e3d05242d248eeb248138e9b4d28b3.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb70.bin
875b942493a771aaf6eb7e622921029b57cec75d0e33aebadba144a4f48bac06		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB70 5576 bytes
font_01_sfnt_off00010e5a.bin
5c80dcd622e6e97b4da53262121578c9d1caf1ce025e173d7dfd88b68236d5a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E5A 10660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.