Malicious PDF — malware analysis report

Static analysis result for SHA-256 419f07481278965d…

MALICIOUS

PDF

71.7 KB Created: 2021-03-23 00:37:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 31275b146ae97ff2044ff8ac3208b4e8 SHA-1: cd46de01f31ac2726c05e3cfe39cdf9ac3a76faf SHA-256: 419f07481278965d78ccf2aee506dd6abd5674d51016cdda7bda893965029344
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains a large number of external links, many of which point to potentially malicious domains, suggesting a link farm or redirection scheme to distribute malware or conduct phishing. The document body, though heavily obfuscated, appears to reference 'American Red Cross first aid/cpr/aed', a common lure for social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/aws?utm_term=american+red+cross+first+aid%252Fcpr%252Faed
    • http://segaruzobuguses.scienceontheweb.net/65950719960.pdf
    • http://laitlabs.pro/916192130937mf3l.pdf
    • http://seomagnat1.online/vekojavewimevovae7ybt.pdf
    • https://rolorizumi.weebly.com/uploads/1/3/4/3/134316308/rasenajuretepa.pdf
    • http://pemufosapakem.mypressonline.com/factors_of_production_and_their_incomes_worksheet_answers.pdf
    • http://atlas-copco.su/bescherelle_conjugaison_pour_tousndngx.pdf
    • https://solusolifodijal.weebly.com/uploads/1/3/4/4/134433047/46fac3bee0ce988.pdf
    • http://xogunajeraxuda.mywebcommunity.org/34428634382.pdf
    • http://gsmall.space/geometry_proofs_worksheet_1_answersposex.pdf
    • http://rajukilodagoje.mygamesonline.org/kirepepurobopul.pdf
    • https://zewugijisisu.weebly.com/uploads/1/3/4/8/134885238/xosemejom-zapezutiraka-nujizemibusej-wefozuloluxador.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b5d51143-f34a-4a4f-9265-6917490cb775.filesusr.com/ugd/9f69bd_7dd2b7502a554aa6b14735933b5eb4f4.pdf?index=true
    • https://69a21580-3c80-4f81-8097-1ec0bc18215d.filesusr.com/ugd/bd7df1_f8b292b4a92f45eebbb7be2c1e9be18a.pdf?index=true
    • http://midelex.epizy.com/me_bhi_chowkidar_video_song.pdf
    • https://cfecb619-c0f5-418d-ae9d-b1147643389f.filesusr.com/ugd/4cd51e_4ec28d19017e44c087d6ad7b7e251398.pdf?index=true
    • https://786c536d-253b-4a15-94df-129c4693a223.filesusr.com/ugd/1fc311_72cd7b11c1e045c5a924795cda3548e9.pdf?index=true
    • https://c63ca81c-6df4-4ec3-bc2e-8508f29a6879.filesusr.com/ugd/d48fe3_a1caed37515348828743192bac6339fe.pdf?index=true
    • https://6fc76513-a17a-4053-940d-bef108f5ea85.filesusr.com/ugd/3a5ef0_d5569715b9be46c1a58cec0d124f8ba5.pdf?index=true
    • https://6205d428-d5dc-494e-bbc3-e2236f9d811e.filesusr.com/ugd/6885a6_7e30093d2eff44939842a043e1614b76.pdf?index=true
    • http://wurebosuloxu.myartsonline.com/principios_de_la_arquitectura_sustentable.pdf
    • http://tikawemukotuwaw.rf.gd/xilajalobe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db7c.bin
f9b5c7dcb460f9c9cbb029b66ec60c379dca1874d56ed09e60bd3ff7125c4682		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB7C 5292 bytes
font_01_sfnt_off0000ed71.bin
9c52fb4b995799f5ab5541e591e3502987f854d26bce8cf4216d3a447048ad80		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED71 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.