Malicious PDF — malware analysis report

Static analysis result for SHA-256 16b88fcfbc21aebd…

MALICIOUS

PDF

98.2 KB Created: 2021-03-12 10:53:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd42899c7202124ec5411d542a276a20 SHA-1: a91be38a481d1061a74ab5d4f8011126ec04c2e5 SHA-256: 16b88fcfbc21aebd7223325597ea5047ef6fff2734f8fbd801392defce4064aa
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for phishing or distributing further malware. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9905

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=minecraft+towers+of+the+wild
    • http://boraguw.medianewsonline.com/buku_agama_islam_kelas_10_smk_penerbit_erlangga.pdf
    • https://cdn.sqhk.co/mevazasid/qmoibij/60340663850.pdf
    • https://cdn.sqhk.co/guwaloxipete/gfijj4m/69933734953.pdf
    • http://wijutomotagam.mypressonline.com/sc_dmv_forms_for_real_id.pdf
    • http://fufirewavit.getenjoyment.net/muvojulaxanazevejukos.pdf
    • http://bupetud.xyz/literary_devices_bookmlt33.pdf
    • http://nitiwopororotef.mypressonline.com/webulegapepitop.pdf
    • http://icub.tech/nokukuzopx2g0f.pdf
    • http://3gusevshop.website/what_is_the_difference_between_a_12_volt_and_20_volt_drillv3pz3.pdf
    • https://cdn.sqhk.co/pemoxeriko/bSjchbc/minecraft_pocket_edition_seeds_survival_island.pdf
    • https://cdn.sqhk.co/supopareso/Khbygia/xixidisapagalojosukasapab.pdf
    • http://vovality.club/16117247063a1wv9.pdf
    • http://kotudekudoges.getenjoyment.net/82463478398.pdf
    • http://xojuxelase.medianewsonline.com/18284923977.pdf
    • http://zusiwibewire.mypressonline.com/pipimorav.pdf
    • https://cdn.sqhk.co/rubovadu/1uFienY/dogfight_1942_review.pdf
    • http://sk-anker.ru/most_difficult_maths_brain_teasersfis4t.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fuvarijes.atwebpages.com/death_note_misas_song_english_lyrics.pdf
    • https://e1cd7dcf-8988-4be8-9b1a-722367337987.filesusr.com/ugd/6203b9_a51cbb158dc34e288dd507d943b06f46.pdf?index=true
    • https://68e1e3d4-268d-49bc-a8aa-b119cb10fea7.filesusr.com/ugd/3ceeb9_2bca517eee4340299bcd2d4d44bb916d.pdf?index=true
    • https://c09438b0-f1cf-4ade-afa2-d322e048c450.filesusr.com/ugd/313cc6_f92d7d76ea7242fbb97170025651b0b4.pdf?index=true
    • https://5bf49506-6ef1-42f8-8f90-7e3689255fd3.filesusr.com/ugd/8fe1bf_289f4d3163764e41bab49dc91d7fe104.pdf?index=true
    • https://b3dfd9c9-1030-471f-a26d-814ea73dbccc.filesusr.com/ugd/d97afa_a287930dd2a94a399d569bb92b0eea3f.pdf?index=true
    • https://c4647614-9ff8-4b00-b819-08dc938bd166.filesusr.com/ugd/5d3f24_26231c37c3cd4614a1fa02f6b4c3577b.pdf?index=true
    • https://3d7c42e8-cad9-4196-8f3c-0f210fd97588.filesusr.com/ugd/1b7c00_51ef9e6e15ba4f36a8346d88b6edd8db.pdf?index=true
    • https://a3cd4400-5fdc-4e6a-bda8-88556a2d4d1f.filesusr.com/ugd/2f7489_b714665d3e574f30a4f9a0bb0db6204d.pdf?index=true
    • https://44407f20-7244-4107-9544-84d8151b6f9a.filesusr.com/ugd/8508de_d64c9fff1aba44f283ceb4988adc445f.pdf?index=true
    • https://562c2315-396f-49d1-9e45-1236e049cb13.filesusr.com/ugd/ec0012_8bdf7837041d495d939811e1bdb6f351.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e383.bin
a00235a3470df3ff06f9a8a4b906010492201e6e2926d6b29c9b7b0fb5fa25ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE383 24464 bytes
font_01_sfnt_off00013037.bin
fd56b3c2aa8c383896a4f9dca937012743abf62a1f0f3b0d9b3287ed7eaebf51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13037 5204 bytes
font_02_sfnt_off00014205.bin
4771923655a327fca2dba858653f1f5a7f9cea43bd7cf414f0bd53303c69175d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14205 10412 bytes
font_03_sfnt_off000165cc.bin
6f41d85279102efce3c4bd26fddb767baf9b68a4f55e239fba9bedc2a2d3b953		 pdf-font-stream PDF embedded font (sfnt) at offset 0x165CC 16064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.