Malicious PDF — malware analysis report

Static analysis result for SHA-256 19a0b7771c949fde…

MALICIOUS

PDF

71.3 KB Created: 2021-06-05 21:06:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04659f53a04b73eb4a710cfca1cc7252 SHA-1: edfaf072b680049c82773fe6fca70a00446ec55c SHA-256: 19a0b7771c949fdeaeb96e73b371ffdeab3a7c4125dc2d4827c695557910a4af
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used for phishing or to host malicious content. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of links, suggesting an attempt to manipulate search engine results or distribute malware. ClamAV detection and ML classification confirm its malicious nature, likely related to phishing or a trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/pbw?utm_term=types+of+chemical+reaction+worksheet+ch.+7+answer+key
    • https://zazukesoj.weebly.com/uploads/1/3/4/3/134317965/8956058.pdf
    • https://tulosiwawi.weebly.com/uploads/1/3/5/3/135326734/d2e07813af.pdf
    • https://ragibifurox.weebly.com/uploads/1/3/1/3/131379945/3858374.pdf
    • https://fedonofawok.weebly.com/uploads/1/3/4/8/134881994/249727.pdf
    • https://vulakesekek.weebly.com/uploads/1/3/1/4/131438428/3748b68808c53f2.pdf
    • https://kosazuritejozu.weebly.com/uploads/1/3/0/8/130874521/1797235.pdf
    • https://cdn-cms.f-static.net/uploads/4489587/normal_603a53f1e50b7.pdf
    • https://cdn-cms.f-static.net/uploads/4465389/normal_6046ca8495319.pdf
    • https://cdn-cms.f-static.net/uploads/4366369/normal_604a406717dd1.pdf
    • https://nizevamil.weebly.com/uploads/1/3/2/8/132814567/534296.pdf
    • https://pobexapuze.weebly.com/uploads/1/3/0/7/130740180/xetorevumokigove.pdf
    • https://cdn-cms.f-static.net/uploads/4407302/normal_60684b3505ad7.pdf
    • https://cdn-cms.f-static.net/uploads/4465390/normal_5fd669f90e325.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/64de73df-9ea9-4b81-9dea-028be977e21d/shimano_dealer_warranty.pdf
    • https://uploads.strikinglycdn.com/files/e9492192-f01d-472a-9132-8d483b6e9b31/zifuwatekonaboluker.pdf
    • https://uploads.strikinglycdn.com/files/77524238-f105-4616-b369-c2b7e7b92a67/winevova.pdf
    • https://uploads.strikinglycdn.com/files/691a256b-64ef-482a-a42b-ca2da10ea446/kingdom_manga_volumes.pdf
    • https://uploads.strikinglycdn.com/files/86e262a8-2393-461b-a4be-8f010220cde9/zuvivanenijetelat.pdf
    • https://uploads.strikinglycdn.com/files/8607b6eb-3d50-4d9d-ba71-9125e4e371cd/45391312440.pdf
    • https://uploads.strikinglycdn.com/files/fd2bc836-630b-436d-9e5c-b542c4bcc85e/4797593268.pdf
    • https://uploads.strikinglycdn.com/files/8326e5b5-7866-4762-bb12-7dd44939c7ed/the_hierophant_astrology.pdf
    • https://uploads.strikinglycdn.com/files/b5057240-314f-4687-bea6-48a4f1393a26/35976493426.pdf
    • https://uploads.strikinglycdn.com/files/a5ff060a-fafc-4b69-b925-557630e27054/excel_vba_call_function_from_another_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/f8acc555-b4fc-4d39-8e7d-2dd6a472986d/vopebeli.pdf
    • https://uploads.strikinglycdn.com/files/7901f368-5b8b-4408-8b56-e56c2c623241/puwatowo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db00.bin
fae7ef0a8c23d6a3cdaece3fba548c6b8e2d8bea6af305c597c2ea99d36e61ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB00 5576 bytes
font_01_sfnt_off0000edeb.bin
d7c95ab34e6ef51e2c39940e747180c6007d2d35f17a4d7cd367943949b2376a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDEB 9756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.