Malicious PDF — malware analysis report

Static analysis result for SHA-256 383ad6363b6e12dd…

MALICIOUS

PDF

76.7 KB Created: 2021-04-03 23:01:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 24e3a608425e096a0ed24ea5394835e0 SHA-1: 7b5ac5cc7148b564727c1ae961035c5df54c266f SHA-256: 383ad6363b6e12dd502c6afe4acbc58a17b0862adb3f1993fe99d96088e85f16
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing lure, specifically using a "Yahoo password reset help" pretext to direct users to a link farm. The presence of numerous external links, many pointing to PDF files, suggests an attempt to manipulate search engine results or host further malicious content. While no scripts were directly extracted, the PDF structure and heuristic firings indicate a malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=yahoo+password+reset+help
    • https://fefizilev.weebly.com/uploads/1/3/1/4/131453506/mazofefir_lutenezuwit.pdf
    • http://idealica-columbia.site/jawiwiguribitew3omh.pdf
    • https://cdn-cms.f-static.net/uploads/4407060/normal_6041e3c445021.pdf
    • http://rezotu.xyz/sage_the_gemini_no_exes_tekstowonjheo.pdf
    • https://cdn-cms.f-static.net/uploads/4366348/normal_6032e45830db8.pdf
    • https://kabudinikibe.weebly.com/uploads/1/3/4/7/134716255/mapago.pdf
    • https://sivikowililip.weebly.com/uploads/1/3/4/5/134599649/a300acc0a4efea5.pdf
    • https://vizodifoberesin.weebly.com/uploads/1/3/4/9/134900429/cf762f.pdf
    • http://com-signto6.xyz/taranagy36rc.pdf
    • https://cdn-cms.f-static.net/uploads/4374953/normal_60542db1abdf0.pdf
    • https://jonokerozub.weebly.com/uploads/1/3/4/7/134714828/lazupikegogizafipu.pdf
    • https://cdn-cms.f-static.net/uploads/4371013/normal_601902fbd79e8.pdf
    • http://about-igsupport.com/how_to_replace_the_charging_port_on_samsung_tablettg6q2.pdf
    • https://cdn-cms.f-static.net/uploads/4428331/normal_6016b903811e6.pdf
    • https://cdn-cms.f-static.net/uploads/4460477/normal_604300fc3d890.pdf
    • https://cdn-cms.f-static.net/uploads/4463275/normal_602e11b9b4565.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://3bcdeb60-9876-4d14-bc0a-1dd1632c647c.filesusr.com/ugd/16a96a_54764c2b1d1b418aa6306891b813eca9.pdf?index=true
    • https://c2267750-1f6d-4c2f-944a-eb302c7f07d7.filesusr.com/ugd/93971e_067952f56bb947a1941225223d182b43.pdf?index=true
    • https://e809654a-a95b-4dbc-a338-24085255a2f8.filesusr.com/ugd/1b6cec_293d566cd78c495bad05a6b2f30a47dc.pdf?index=true
    • https://ff9dba89-6132-4485-99c2-ace8a2453124.filesusr.com/ugd/c3f59f_c2455a8775ee427b926e3ba0dada5229.pdf?index=true
    • https://50c84cdf-c8d4-407e-a307-361b94491100.filesusr.com/ugd/f2656e_5079846be0d84c2fbecf9e29ec2c5d45.pdf?index=true
    • https://b1e6e3cd-24a2-426a-8b7d-e8f4bd81915b.filesusr.com/ugd/83e584_5fd0c7bb6a474a5e87d525f30906a4af.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f013.bin
0000167d7dd4e9aa8a9db77bfd8f3a1a569da736e34400fa93e4d2cdc583f8c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF013 5100 bytes
font_01_sfnt_off00010175.bin
282bde379305993e349456db4dda7817c2a655f457abe79c74cd1a0483501caa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10175 10628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.