Malicious PDF — malware analysis report

Static analysis result for SHA-256 293fa7f0ed964bb6…

MALICIOUS

PDF

92.1 KB Created: 2021-03-16 01:50:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cc91dc6f333d7b9b3f960075f1eee288 SHA-1: 522cba9aab060cf80d2061e0154339b1ad66d3f9 SHA-256: 293fa7f0ed964bb62671ea2449fc43446e860688404892875314a26a8b33d7d4
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which are SEO-themed, suggesting a link farm or content manipulation tactic. Crucially, a heuristic detected a 'Clipboard command execution lure,' indicating the document instructs users to paste commands into a shell. This, combined with the ML classifier and ClamAV detection, strongly suggests a malicious intent to trick the user into executing arbitrary commands, likely to download and run a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=amadeus+basic+commands+pdf
    • https://cdn.sqhk.co/rodofusavivi/ajGRaag/cytus_2_mod_apk_free_download.pdf
    • https://cdn.sqhk.co/nipigagavadu/bpcABh3/rainway_vs_parsec.pdf
    • https://cdn.sqhk.co/xobupuwulawe/hhhfhd3/formula_1_2019_ps4_car_setup.pdf
    • http://vekeludin.iblogger.org/vugonufesuse.pdf
    • https://cdn-cms.f-static.net/uploads/4424630/normal_6047367e72dc7.pdf
    • https://cdn-cms.f-static.net/uploads/4379230/normal_6025183855e80.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xesigeze/alzheimer_s_dementia_symptoms_tracker_worksheet.pdf
    • http://dinimonubikajo.rf.gd/luziponuje.pdf
    • https://s3.amazonaws.com/pezofut/gb_whatsapp_for_android_apk.pdf
    • https://s3.amazonaws.com/zijivevip/how_to_use_igora.pdf
    • https://s3.amazonaws.com/datarofapakil/6284016837.pdf
    • http://lisiguzaxupego.epizy.com/nenupapufewupifoj.pdf
    • https://cee4a208-09ac-40e0-983f-4c2cc776acbe.filesusr.com/ugd/5ed537_95a82b448f4a46afa1d2d7e96d78047e.pdf?index=true
    • https://s3.amazonaws.com/tevigotu/36181222089.pdf
    • https://9e9203d9-9f5b-42f2-a849-05e42d741f90.filesusr.com/ugd/3527d5_b31e46c711c74192854ded4e252042eb.pdf?index=true
    • https://217ba8a6-026c-4a9e-b1ce-2eadff0a4a08.filesusr.com/ugd/3d7af5_0fbb5ce901174af09d2cac24d79eacd5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f319.bin
24fd6868f187b5667792517f9f69d22ac5a3de5011d4d3824467392effeade79		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF319 6588 bytes
font_01_sfnt_off00010393.bin
09b452bad12fcca6dc3edecd18bef291449f479c50556d98581b406f4475e8a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10393 5304 bytes
font_02_sfnt_off00011581.bin
af0154cd2a322d8d82c0b4b905e49f9f3c036e662eb9b20313c6b725aad31fef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11581 5600 bytes
font_03_sfnt_off0001269f.bin
1d40429b584e047ced5e6e78f34952604692f0c3999939beb46c92e12d2e59cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1269F 11168 bytes
font_04_sfnt_off00014cf0.bin
3835edc4e0c542677e632cac7c10c69e3bb009d48823b8b2d22bb30a5a413f4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14CF0 16188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.