Malicious PDF — malware analysis report

Static analysis result for SHA-256 37372c096e97ba4d…

MALICIOUS

PDF

80.4 KB Created: 2021-03-27 16:41:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ada44fe36f87c7f3be0453c4456b108e SHA-1: 234412e3deb23426edb0fa7717f1b21d143f81a5 SHA-256: 37372c096e97ba4d5c9d74fe94e6a1028df39a115c9d85bfece854bccabc2566
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, suggesting a link farm or phishing attempt. The presence of embedded URLs and the PDF's structure point towards it being used to redirect users to potentially harmful websites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=halal+food+guide+seoul
    • https://ramokazadi.weebly.com/uploads/1/3/4/4/134470245/gutetelusomiza.pdf
    • https://wisufomerimugil.weebly.com/uploads/1/3/4/0/134016782/4ca5e23a3cc.pdf
    • https://static.s123-cdn-static.com/uploads/4393625/normal_5fce06824836f.pdf
    • https://jerewerek.weebly.com/uploads/1/3/5/3/135349205/71439e64.pdf
    • https://zasevolonuto.weebly.com/uploads/1/3/5/3/135335071/1a33b20184.pdf
    • https://ripukalogud.weebly.com/uploads/1/3/4/3/134391837/898ea5d01ecc.pdf
    • https://sawuwirepugasup.weebly.com/uploads/1/3/0/9/130969548/funigi_sokutuzazejogut.pdf
    • https://kujivapepomo.weebly.com/uploads/1/3/4/5/134591142/vajir_zadej_zuzal_likakigud.pdf
    • http://lifegirls.site/power_supply_tester_user_manualjbwv1.pdf
    • http://lazadacostumercenter.com/civil_engineering_drawing_symbolskgf7a.pdf
    • https://cdn-cms.f-static.net/uploads/4465003/normal_605c1abb1268f.pdf
    • https://bejidadona.weebly.com/uploads/1/3/0/9/130969139/tegitukagori.pdf
    • https://sixebujexe.weebly.com/uploads/1/3/0/7/130740217/bewokezuju-gelologufo.pdf
    • https://fogufufizanalu.weebly.com/uploads/1/3/0/8/130813948/jorupoxuke-baxakigagew.pdf
    • https://ranalugepileli.weebly.com/uploads/1/3/4/7/134735155/92c2bc37e.pdf
    • https://pawupakupofodav.weebly.com/uploads/1/3/5/3/135388754/tumiriv.pdf
    • http://idealica-co.site/zakovupefalesowipopomfk3c8.pdf
    • https://static.s123-cdn-static.com/uploads/4477155/normal_5ff17aba83e22.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://najirukijo.rf.gd/55668567396.pdf
    • http://losaxoxajav.epizy.com/92618379390.pdf
    • http://sanenuxaxegozez.rf.gd/ford_555_backhoe_problems.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e880.bin
90561340aa1f85977627274cda4dd52be803488effd07ad5cfa92d68816512f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE880 4940 bytes
font_01_sfnt_off0000f967.bin
2dc7f38f89eb97da38c265d9f624584c596fa0a63b265030b2266813ec86781d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF967 11056 bytes
font_02_sfnt_off00011f30.bin
b91ebbfc40a94f10b2fcfc4d08542e4cd4fc38dcff43bcfefe5d572695fcce17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F30 16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.