Malicious PDF — malware analysis report

Static analysis result for SHA-256 40a26ccc275734ae…

MALICIOUS

PDF

68.7 KB Created: 2021-03-20 04:33:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 06e6087d1f4a350301f8360d5c5e441e SHA-1: 59296c4bd28e766c69364334db7f05fc1c47f6dc SHA-256: 40a26ccc275734ae9770cc15694709961b514a040a56baf0b0b1bcab84f1aa63
236 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by ClamAV and ML classifiers, exhibiting characteristics of a phishing and link farm attack. It contains numerous external links, many pointing to suspicious domains, designed to trick users into downloading further malicious content. The PDF's structure and embedded links suggest an attempt to create a deceptive user experience, likely for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/strik?utm_term=huskee+rototiller+manual PDF link annotation
    • http://privateguardingserviceagainstdanger.site/what_are_some_qualities_of_a_good_managerl9jb9.pdfIn PDF document text
    • https://voloripilobolim.weebly.com/uploads/1/3/4/6/134635915/2034144.pdfIn PDF document text
    • http://pofefazuvalime.iblogger.org/embryology_book_inderbir_singh.pdfIn PDF document text
    • https://lijarodamuvoraj.weebly.com/uploads/1/3/4/4/134456910/nagitezud_fitatasulav.pdfIn PDF document text
    • http://magnetfix.store/mogozufesibazinawidad65dui.pdfIn PDF document text
    • http://managerprogram.live/how_to_play_cards_of_against_humanityduu3u.pdfIn PDF document text
    • http://help-nanny.site/46978223384vmbxo.pdfIn PDF document text
    • https://vamarimorojikav.weebly.com/uploads/1/3/4/6/134640123/6830702.pdfIn PDF document text
    • https://kiwemedorupa.weebly.com/uploads/1/3/4/4/134446537/zifunelozi.pdfIn PDF document text
    • https://lopowizuxo.weebly.com/uploads/1/3/4/4/134438001/25770d2d6c0a850.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/xapijifas/sql_server_2016_standard_iso.pdfIn PDF document text
    • http://lufepurobu.epizy.com/carcinoma_papilar_de_tiroides_pronostico.pdfIn PDF document text
    • http://bitudisejopelak.rf.gd/linear_algebra_coursera_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/latufenaw/zajinekasu.pdfIn PDF document text
    • https://s3.amazonaws.com/zetituri/wofurowex.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec2b6951-f939-4553-ad51-ace6cb3abfef/33295917224.pdfIn PDF document text
    • https://s3.amazonaws.com/lowuwofuxali/zuzajamugavatozaku.pdfIn PDF document text
    • https://s3.amazonaws.com/legapatatezisa/71481141954.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1e0a65dc-a1d2-48a5-b776-1063ed782336/ratios_and_rates_worksheets_7th_grade.pdfIn PDF document text
    • https://s3.amazonaws.com/devuxuzejozam/girl_interrupted_trailer.pdfIn PDF document text
    • https://s3.amazonaws.com/xalexojaxipud/boxplot_example_with_answer.pdfIn PDF document text
    • https://s3.amazonaws.com/ravuxudibure/dallas_county_assumed_name.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c4375b97-1d89-4b3a-b567-06fefdd270dc/why_is_my_stylus_pen_not_working.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c396.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC396 4736 bytes
SHA-256: baa26ec1f06b8988a173a0ef64f2ca0f7e53f801ff10ed522f44ce4ce3ff6faa
font_01_sfnt_off0000d384.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD384 10496 bytes
SHA-256: 6f851233824559d6da3f5f1d7f015e106c8977264c31584153cbf33b341e8175
font_02_sfnt_off0000f76e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF76E 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333