Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f6eec3553e0a7a6…

MALICIOUS

PDF

80.7 KB Created: 2021-03-14 12:11:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 945fee2144b3692679451f67afc3140b SHA-1: c2d03f5e6cceb968aba7bcf22c109404ca9bdada SHA-256: 0f6eec3553e0a7a6d9b97eee714cfcbf5a84f0a8e66475ed59c5e5c44eb646bc
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to potentially malicious domains, indicating a link farm or phishing attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and heuristic firings point towards a malicious document designed to redirect users to external sites, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=to+build+a+fire+answers+commonlit
    • https://lujiwosibe.weebly.com/uploads/1/3/4/0/134040634/mujopakapebip-jusukilezene.pdf
    • http://medway24.com/kepagitib7acau.pdf
    • https://cdn.sqhk.co/lojadisexudo/eVAMihI/recargar_tarjeta_ais_desde_estados_unidos.pdf
    • http://tizezs.xyz/fijozojamazomvxxl.pdf
    • https://cdn.sqhk.co/nexasolonit/cviehhl/pig_piggy_bank_collectible.pdf
    • http://nazhivy.net/cafe_racer_parts_uk6l5ey.pdf
    • http://vedice.ru/application_of_group_theory_in_chemistry_pptoj5qz.pdf
    • http://bbbbbbbbeeee.space/wumusazatinubovawiteh6cmk.pdf
    • https://jevupatumatawi.weebly.com/uploads/1/3/4/3/134377955/9596c4.pdf
    • https://cdn.sqhk.co/javomekoru/gfOOajf/nakeromerukavonojexa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://s3.amazonaws.com/jedaxopopuko/adding_mixed_fractions_worksheets_year_5.pdf
    • https://uploads.strikinglycdn.com/files/8a31cbfd-c22a-4de7-a515-ec20022e4d90/how_to_get_a_baseball_bat_in_gta_5.pdf
    • https://uploads.strikinglycdn.com/files/1c8c5224-5a6a-4479-a338-d4e9be21d591/jane_austen_novel_emma_summary.pdf
    • https://uploads.strikinglycdn.com/files/0830930f-2695-448a-ad14-99d04af85114/where_to_buy_golden_malted_waffle_mix.pdf
    • https://s3.amazonaws.com/gosete/statistics_and_probability_letters_latex_template.pdf
    • https://uploads.strikinglycdn.com/files/690dbb00-832b-4808-981a-c15e10f0e59f/verizon_fios_volume_remote_not_working.pdf
    • https://s3.amazonaws.com/gosete/tumbleform_platform_swing.pdf
    • https://uploads.strikinglycdn.com/files/b7951068-c4c1-462e-a2c2-bef49ad17288/hp_officejet_pro_8600_scan_windows_10.pdf
    • https://s3.amazonaws.com/nakuzafol/satekiwivuxezirik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f48c.bin
a461c049c7d9b025f36a61351120146db10e95ba3c3d7f4752a811fec6e7cbcb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF48C 5348 bytes
font_01_sfnt_off000106b9.bin
9725ca3ce9aa25de57978597fcf659a661e2908aac37cbe4c0b56b5a2c5fdd56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106B9 10296 bytes
font_02_sfnt_off000129d4.bin
d7a1248cabf161ff78a072bd924b98f1b4e551660f4e151c9433689786990c0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x129D4 2832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.