Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ae2f277d605cfc7…

MALICIOUS

PDF

93.5 KB Created: 2021-03-14 18:33:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b137d0f880f04ffb103ad69871d7958 SHA-1: 9f6ced6a4d9eef0d2fce7acfdd66069186138ebb SHA-256: 1ae2f277d605cfc7a88269d4c991036a2b58fb48bf695d57f002db76f9561ce9
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. It contains numerous external links, likely part of a link farm designed to redirect users to malicious sites. The heuristic 'SE_MFA_LURE' suggests the document attempts to harvest credentials or abuse multi-factor authentication, a common tactic in credential phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=8+ball+pool+hack+no+survey+no+password+no+download
    • https://lujipened.weebly.com/uploads/1/3/2/7/132740552/7360830.pdf
    • https://milixugaxezo.weebly.com/uploads/1/3/1/8/131856079/mowitusutepoxojapej.pdf
    • http://mevukavotidu.getenjoyment.net/a_short_course_in_photography_film_and_darkroom.pdf
    • https://wabirigiraziw.weebly.com/uploads/1/3/6/0/136017191/jatuparat_tukazi_jawivu_wabak.pdf
    • https://rokawutavepuma.weebly.com/uploads/1/3/0/7/130776645/sijesepid.pdf
    • https://malitizume.weebly.com/uploads/1/3/4/0/134097131/d7d65d4b.pdf
    • http://kajuzumanaz.sportsontheweb.net/53003991375.pdf
    • http://luwogexejel.getenjoyment.net/analytical_writing_assessment_gmat.pdf
    • http://damodudajipofem.22web.org/mujumaginimubovurelov.pdf
    • https://losebevaxefot.weebly.com/uploads/1/3/5/3/135347065/valexebinogibojetu.pdf
    • https://cdn.sqhk.co/bitowiso/R2ghjj2/distance_measurement_using_laser_sensor.pdf
    • https://suzexefovewav.weebly.com/uploads/1/3/4/6/134640410/reraxewuwex_balegebis.pdf
    • https://werukubafufu.weebly.com/uploads/1/3/4/0/134000234/cd2ee086a0.pdf
    • http://zobabikox.medianewsonline.com/jofelebonor.pdf
    • https://cdn.sqhk.co/romilononove/5jiIOid/heroes_of_steel_rpg_walkthrough.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://semazixiguf.rf.gd/photoshop_templates_for_resume_free.pdf
    • http://gogobat.epizy.com/37721618972.pdf
    • http://bipegokatif.onlinewebshop.net/9th_grade_chemistry_test.pdf
    • https://21c505bb-01ca-4817-a549-4ed1ebba5040.filesusr.com/ugd/7d7105_7b23c81d18ed4fc3ac47233115d4f957.pdf?index=true
    • https://201a0bc5-0eb3-4135-8969-828875a6b07d.filesusr.com/ugd/607883_2f780852a632442b82a87045f7aaefdc.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100f3.bin
f753b9116ab626f5a532c9d18080f9987022eb161d4294cfce4fd0e1f716f0eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100F3 5716 bytes
font_01_sfnt_off00011467.bin
13678a14b930e6d42e11b2ac41b13981c2c7f5938cc30cfb194ad51886f1f1dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11467 2092 bytes
font_02_sfnt_off00011e0c.bin
e81d3d08ba900e84e040b37df63ed710904faef22425fe9448265ec9ff0e68a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E0C 11572 bytes
font_03_sfnt_off000145c2.bin
211c9297a8735562117019b0f7c529e071bb78d86d7d14f7064baed8193fe653		 pdf-font-stream PDF embedded font (sfnt) at offset 0x145C2 19372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.