Malicious PDF — malware analysis report

Static analysis result for SHA-256 152f7a9bd674e388…

MALICIOUS

PDF

106.7 KB Created: 2021-03-24 09:05:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 409f9452fe38a16329ce2e66acc15b68 SHA-1: aa51bb2607dcd2c6c13850190856b6e6bd1c0633 SHA-256: 152f7a9bd674e388f99b1572d2815705929346b663258144d1f1421854b8d0da
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, including one that promises 'free unused amazon gift card codes list', suggesting a phishing or scam lure. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, with 'http://mitatizizuje.mypressonline.com/54065655657.pdf' being a prominent example. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=free+unused+amazon+gift+card+codes+list
    • http://mitatizizuje.mypressonline.com/54065655657.pdf
    • https://lipijubirenazob.weebly.com/uploads/1/3/4/7/134722159/voxarubafuzilixi.pdf
    • https://cdn.sqhk.co/xidatelo/hjdjeCL/brick_crushing_machine_hire.pdf
    • http://zhigina.ru/civil_service_equivalent_military_rank_in_bangladeshqn895.pdf
    • http://xojuxelase.medianewsonline.com/fomad.pdf
    • http://pekibexuvipeve.scienceontheweb.net/kedikuwosatevogelufuk.pdf
    • https://cdn.sqhk.co/letopoto/nez9K6Z/wuxijad.pdf
    • https://xowitato.weebly.com/uploads/1/3/0/7/130776358/vijopupa-kazakib.pdf
    • https://cdn.sqhk.co/sizozizaj/gfSolic/sheet_metal_ductwork_fittings.pdf
    • https://wusuritod.weebly.com/uploads/1/3/0/7/130739885/kibunen.pdf
    • https://cdn.sqhk.co/kezagajasiw/g0ij3gd/business_report_cover_page.pdf
    • http://cashtanks.fun/ragasoliwonexelozfk2s.pdf
    • https://cdn.sqhk.co/zuronenom/idvzTjm/28531773571.pdf
    • http://esagafow.fun/bheema_video_song_720pbjlyb.pdf
    • http://efarbok.xyz/85254803459qey6k.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b9387e75-0942-48a6-8a47-0bd3f0224277.filesusr.com/ugd/fc485c_30462094328f4bd5a6520f6c83180ad4.pdf?index=true
    • https://03aaa7dd-6608-466c-a68c-f41c59811c05.filesusr.com/ugd/ae15ca_d6796fe4b08545118f2c2b24a2de6a39.pdf?index=true
    • https://2a4c341d-9af7-4f89-b48a-1b926ad6ced7.filesusr.com/ugd/dd6616_a2eb583ddd1240588eceff1ef3734378.pdf?index=true
    • http://fekejuw.atwebpages.com/vovamatunewekuxisepodoz.pdf
    • https://c3438639-6a75-4920-aa4f-d1e0b619354f.filesusr.com/ugd/3be3a7_51046daac6ca4a5b8b1a849a19bb070a.pdf?index=true
    • https://s3.amazonaws.com/rijaliwiguvex/mosotulujufak.pdf
    • https://30621b86-6952-4b41-80af-4d24d830bc7c.filesusr.com/ugd/122077_4c0411bf01d74822bc1ec89ac10943bf.pdf?index=true
    • https://s3.amazonaws.com/jaxesabi/what_is_the_difference_between_food_chain_and_food_web_give_some_examples.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000162fb.bin
886dc3aa2f0313e6d3b1bf7dd1bb112abd3bef0763101d31f994719352628d5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x162FB 5348 bytes
font_01_sfnt_off00017524.bin
9fcec9dc1bf07b83c5252872fec45f1eb75bdbf06cf921aa0a8e3aeb6bcdb6eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17524 11448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.