Malicious PDF — malware analysis report

Static analysis result for SHA-256 230424263a96bed5…

MALICIOUS

PDF

75.3 KB Created: 2021-04-01 18:43:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8da2f1ca580778fc40809c3a768ddfd SHA-1: bf525ba0c4fdfd79e799a4143bb056ef4aa992f5 SHA-256: 230424263a96bed5380123010f68c91ab16f24b7a095a73057e4f2bdd337bc0e
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains a large number of external links, many of which point to PDF files hosted on various platforms, suggesting a link farm or redirection mechanism. The 'SE_CLICKFIX' heuristic indicates the document likely instructs users to execute commands, a common tactic in social engineering attacks. The presence of embedded URLs and the ML classifier's high confidence score further support a malicious intent, likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=windows+system32+battery-+report.+html
    • https://gogiwujuduk.weebly.com/uploads/1/3/4/3/134352159/pigiwekum.pdf
    • http://repair-monokoles.ru/jepogozirikepan576w.pdf
    • https://cdn.sqhk.co/wevexifimur/cIDaiaT/birexopumovorelok.pdf
    • https://nukofagola.weebly.com/uploads/1/3/4/8/134883999/1c5895384687b11.pdf
    • https://cdn.sqhk.co/zupodejadofe/igkjgge/laxevalulurukasuk.pdf
    • http://cabinetsly.xyz/74950445170z6zqf.pdf
    • https://cdn.sqhk.co/demanajinu/nqghje4/78631779555.pdf
    • http://yogait.space/all_sorting_algorithmsmhrih.pdf
    • https://timitadenemegi.weebly.com/uploads/1/3/4/7/134728598/dewimiti_budujirofapoze_ropoket.pdf
    • https://cdn.sqhk.co/gorokipo/pChgHhi/polumosabi.pdf
    • https://linebabeta.weebly.com/uploads/1/3/5/3/135317009/3b57a45.pdf
    • http://azalea.store/gavinapuxutixepdo350.pdf
    • https://cdn.sqhk.co/viforoge/d0gduon/38112338409.pdf
    • https://sugokumorol.weebly.com/uploads/1/3/1/4/131437576/kapoziso.pdf
    • http://espacecmb.xyz/atomic_and_molecular_physics_noteshld1o.pdf
    • https://dipedupaketi.weebly.com/uploads/1/3/4/3/134333799/d358b.pdf
    • http://avlto.best/the_sins_of_dorian_grayiysfg.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cc0b58a5-7bf4-4b41-9cd7-d9bc0cd2cc6f.filesusr.com/ugd/6dc98b_4f9e1df6c67b48b4a404747151b2eb75.pdf?index=true
    • https://f9c81679-ddb1-4746-ab40-32673edc426c.filesusr.com/ugd/2eff39_e18ea712587a453db0b94bd6ef9bae8a.pdf?index=true
    • https://50e0a74f-e7a5-4ac3-a7a6-4cdd7b1ad00e.filesusr.com/ugd/8a9d9f_ca537241818d431289587c042431458f.pdf?index=true
    • https://c7972686-9310-4d97-8ac3-15e828887225.filesusr.com/ugd/8a419d_ccdea2d468f942d5b1fe3fc054cc3b59.pdf?index=true
    • https://b20aee1f-b1b7-4e4e-be5e-d884e4ece670.filesusr.com/ugd/10e3af_58e417b260a24ce596ed23b77f7acdf4.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e78f.bin
d3a5908d5aa850f2e4d3aa9ad7325e8992017458b3268b16c14a02c3feef7240		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE78F 5904 bytes
font_01_sfnt_off0000fb9e.bin
a178d13ab58f4c93590f4c5d7175bf2d19a67fd98cf1287cf42b98a5b6a4c675		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB9E 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.