Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ba4c973c3c93357…

MALICIOUS

PDF

79.2 KB Created: 2021-03-15 00:32:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 779b2c152acf2cac5a9707be3d8b743b SHA-1: 208c02db463fe4969edb095247f329d96bacaf9a SHA-256: 2ba4c973c3c933578106e8c6dc12487f1d6ac07a8586f170aad3debf1b4505a3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains an embedded URI that suggests a lure related to 'loan contract form pdf', likely intended to trick users into clicking the link. The presence of numerous external links, many pointing to benign files, suggests a link farm or SEO poisoning tactic to improve search engine visibility for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=loan+contract+form+pdf
    • http://temppicture.xyz/how_much_do_dhs_pay_for_childcare41cwk.pdf
    • http://ch-data-2a8fv9s.pw/duwaguboxp9dj8.pdf
    • http://jepenufi.getenjoyment.net/90931110300.pdf
    • http://metoxegid.mygamesonline.org/how_to_access_asus_router_configuration.pdf
    • http://xafopawiki.medianewsonline.com/muzome.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e44de090-c64a-4a0f-b555-2784aa0ac37b.filesusr.com/ugd/41d583_93d7d14b35234b13820f8ad6d72349c6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6be9a330-c835-410b-a99f-767d4744945a/17793162100.pdf
    • https://38aad9b5-7a72-45b8-ac81-9fe73ce82000.filesusr.com/ugd/08338c_3a0606ebe3d84640b418cc015dfa5f5e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e8c3f034-d07d-4cbf-bd99-7c7fcef12805/how_do_i_adjust_the_volume_on_my_roku.pdf
    • https://uploads.strikinglycdn.com/files/77e160c8-9bc0-4734-807d-4813b3668c86/tutugi.pdf
    • https://uploads.strikinglycdn.com/files/f193ceb4-8c58-4e08-969e-e77a74080675/ea_sports_ufc_3_pc_download_free.pdf
    • https://uploads.strikinglycdn.com/files/8ef6bac0-565f-43e8-9802-b7fb6639e362/why_is_my_printer_not_printing_color_right.pdf
    • https://uploads.strikinglycdn.com/files/e898deae-0598-4ae8-9268-5b2bbfeda207/ferrari_488_for_sale_by_owner.pdf
    • https://dc010c70-835d-4b56-8cb0-1e1bda7cab64.filesusr.com/ugd/fb576b_e20df5931e2a46e8a0bccaad21303395.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b0c33e6b-01dc-446f-98ab-7b64efe9b8d5/keurig_2.0_filter.pdf
    • https://fe92b815-f0fe-4223-924b-659339f44b90.filesusr.com/ugd/8f64fc_9b42c418d9d445ce96d6c2e450df61e5.pdf?index=true
    • https://33b7cf8b-1cb2-46d9-9063-17e97cba5e80.filesusr.com/ugd/9edd50_c254ca6b121240538ba5d4a3a7281b61.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b573b265-3d3d-482a-a431-e60b8449c58f/30301509728.pdf
    • https://2987c0f4-171e-4473-b3f1-a5468658115b.filesusr.com/ugd/75ff8a_2266a47f820a482fa0d4e7d09369ecba.pdf?index=true
    • https://569961a5-e6b5-462d-8b38-7193d5e7b20b.filesusr.com/ugd/a37a2e_84a040156586430db896ae4d0c3af233.pdf?index=true
    • https://4993f9ff-345c-4c03-a8ec-d4f8dac664d6.filesusr.com/ugd/debbe1_73d32b9a31fb4d68a9a5485e77006f5b.pdf?index=true
    • https://ddc7b23b-31e5-4b5c-aaad-d3b7cef26861.filesusr.com/ugd/e506b8_77717dc5bd4b423581902b635b9efad6.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7bd.bin
265b5d7ec91af846e3285e142f4b5c62869a171e7f671109bad9e56c1450471c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7BD 5032 bytes
font_01_sfnt_off000108c6.bin
b462d359703814174f547eabe200ecf8294cb66d73bbb099c35115d7a4e5cc77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108C6 11020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.