Malicious PDF — malware analysis report

Static analysis result for SHA-256 446eea11270e7373…

MALICIOUS

PDF

90.9 KB Created: 2021-04-05 21:22:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 45bf1166f345c2609e49c1c31ac6eec9 SHA-1: 546c753f6fd95da1cbd10deece1cc87e6cc3bb95 SHA-256: 446eea11270e7373bc973605546437ce6f083c032bd687dc52a603ba9c368648
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, many of which are obfuscated or lead to potentially malicious content, as indicated by the 'PDF_SEO_LINK_FARM' and 'ML_NYX_PDF_MALICIOUS' heuristics. The 'CLAMAV_DETECTION' heuristic further confirms its malicious nature, identifying it as 'Pdf.Phishing.Trojan'. The embedded URLs suggest an attempt to redirect users to phishing or malware download sites, likely disguised as content related to movie downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/123?utm_term=action+jackson+full+movie++hd+quality
    • https://cdn.sqhk.co/xakurusuk/cgi0xOy/fajazerefapadevima.pdf
    • https://cdn.sqhk.co/zakoduba/ibqThhQ/sojafefazawomazudi.pdf
    • http://braco.ru/corrugated_metal_sheets_for_sale_near_mejqe5f.pdf
    • http://hot-money.fun/dewalt_3800_psi_pressure_washer_diagram9228j.pdf
    • http://tokio-2020.fun/wosomop93f81.pdf
    • https://cdn.sqhk.co/tawibonikigo/euSboaH/49970883270.pdf
    • http://my-favshope.online/289344549705qn93.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mosezavor/nafuzofufefisufogama.pdf
    • https://uploads.strikinglycdn.com/files/4fddc0b0-88f0-4c7b-8328-32dab0cac015/83569345429.pdf
    • https://b67fa923-03b4-4d21-b555-95ff628d7525.filesusr.com/ugd/1d4b90_065c43c80bbc49bb8d269bfe864d76ce.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b7591a02-6428-4f94-98d9-92801bdad86d/jazeduratoxokik.pdf
    • https://uploads.strikinglycdn.com/files/52172811-2d7a-43de-a66d-a263802ba0a2/16657032363.pdf
    • https://uploads.strikinglycdn.com/files/9dad1d76-259b-4668-8c31-1a87234c59a2/sinowilexibuba.pdf
    • https://uploads.strikinglycdn.com/files/29163c95-4d7a-44d5-a8c5-d84f27265064/is_gluten_free_oatmeal_good_for_dogs.pdf
    • https://d896c2b7-539c-4146-aa8a-b39d26e096d8.filesusr.com/ugd/a98ecc_275ebed0ae8f499c901eacb4e84b59c2.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1c2c2917-c320-4206-9291-da7b5457a3bd/texorirok.pdf
    • https://s3.amazonaws.com/xamibudasagas/sevisanukew.pdf
    • https://uploads.strikinglycdn.com/files/e744ba2a-b29c-4015-a29c-6eca7d352cb7/zogezivaruzulowipovu.pdf
    • https://26577e91-18e8-42c3-8e85-49dcca1d6605.filesusr.com/ugd/195787_1f462c12b05b4f37b28f4557f24e1d77.pdf?index=true
    • https://22fea36a-5e19-4af1-b4aa-fe6e1efe0ee9.filesusr.com/ugd/b5a188_923246bc621b42b28e576b42e6b5c97a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5475796f-8253-4589-a827-c622b72a6866/john_maxwell_leadership_bible_nkjv.pdf
    • https://uploads.strikinglycdn.com/files/13d3e31d-6848-4b23-a870-bd19e0dccc1e/divina_commedia_inferno_canto_3_riassunto.pdf
    • https://1b3fde16-7575-45ba-b40e-8916c64185ca.filesusr.com/ugd/8874e8_0ec6aa0cdf924909bc57c9d8d2737bca.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cd3b55dc-4a5e-4228-8383-ff0167415a3f/mitimogeka.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000122d9.bin
9ddebe49ac16c109df855580e94e6f3175bf1a9b45187c4c45c41ccf4c769539		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122D9 5580 bytes
font_01_sfnt_off000135cc.bin
32e4ca7c08803e3d091955258a14bace97768d1772875ba2b728a541b961a702		 pdf-font-stream PDF embedded font (sfnt) at offset 0x135CC 11288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.