Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ca7c6b24088862a…

MALICIOUS

PDF

73.6 KB Created: 2021-03-11 15:09:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9b662af546fc6d2de2bc009c92594802 SHA-1: c90eec1e6b004088b5f1e273f20c49f3a4b4614b SHA-256: 3ca7c6b24088862afb3fd7770b0e7716cf2c440a7d7ba0a6d3aab761021fc749
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file is identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing or malware distribution lure. It contains numerous external links, including a link farm and suspicious domains, designed to redirect users to potentially harmful content. The document body, though heavily obfuscated, suggests a pretext related to 'internet of things pdf research paper', likely to entice clicks on the embedded malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=internet+of+things+pdf+research+paper
    • http://igcopyrightverify.com/20561948528cyub.pdf
    • http://lnstagramsecurity.net/50322618006wktwq.pdf
    • https://cdn.sqhk.co/xolanikipiz/iegd2ih/best_fnaf_fan_games_2017.pdf
    • http://a1metromovers.com/r_in_action_2nd_editiontvera.pdf
    • https://cdn.sqhk.co/zizenozi/WjgFdgf/97843443694.pdf
    • https://cdn.sqhk.co/jasuxerazifo/iehbCjd/21295399692.pdf
    • http://ch-bewertung-2888.xyz/high_probability_trading_patterns_kora_reddyvhfmp.pdf
    • https://ziluxofizavamo.weebly.com/uploads/1/3/6/0/136009732/a38116eb6db005.pdf
    • http://securitycheckingbrowservkcom.xyz/synchrony_bank_old_navy_contact_numberxt8oq.pdf
    • https://sujofunipus.weebly.com/uploads/1/3/4/5/134502209/julevotigo-jujukefolaviki.pdf
    • https://cdn.sqhk.co/zudilubal/gfMzcZ5/72602135757.pdf
    • https://cdn.sqhk.co/runudori/cFerWgg/sixitaroseropelajen.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f89b8795-a90f-4359-81e0-6309601a98d9.filesusr.com/ugd/8e7730_132a001e7a3344e7b50180b11ab11613.pdf?index=true
    • https://a35aa970-3e4e-4c20-be1f-53d10001bce9.filesusr.com/ugd/af4e73_ac561226bc3c4ce289a2c5222c4f924e.pdf?index=true
    • https://7afcd0b8-98df-42a4-afe0-9544d44c9539.filesusr.com/ugd/74e9cf_a84fc77395094ed39aab97f20eb571a8.pdf?index=true
    • https://a5fc3680-5c08-4cda-bd6c-abaa3bdf25bc.filesusr.com/ugd/ea5d7b_6524a4cb8b5d44c0827a437ebcdb6b50.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c4ec75e9-fa86-4c2c-ac58-3cc082cad88f/nejesiropiniv.pdf
    • https://b998fa74-583e-446a-a2a7-67f41460fdb2.filesusr.com/ugd/e081f8_43e43ac3d1da41989a0828c6d70ebbed.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9f37a42f-424e-41ca-a528-a02673837dc6/vebuw.pdf
    • https://cd65756b-a9c7-4cca-9498-1747a6459195.filesusr.com/ugd/05eb20_ee231cbed635478dac1320da5904fdf6.pdf?index=true
    • https://ee6bc897-aa08-459d-b6e6-b1b1d69fcba1.filesusr.com/ugd/7ba596_83b10878bd8b42a4b8ac9ff85c604a56.pdf?index=true
    • https://uploads.strikinglycdn.com/files/af08c277-d1c8-4aeb-8de6-ae98f2280abc/ziwowirubojavubuwoxagumo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e41a.bin
8236fbe1c99dd6f291c82eeb692ec2ee805f82037797f055ececadb7edfec3f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE41A 5320 bytes
font_01_sfnt_off0000f637.bin
c2d5d9859acffc1389e25ff9a6814e4012880610c94c581e662877c0f4dcb0b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF637 10152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.