Malicious PDF — malware analysis report

Static analysis result for SHA-256 48f13eef4800a271…

MALICIOUS

PDF

86.6 KB Created: 2021-03-07 12:53:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8b77b3856f30e713c5f74ca3a2e0db71 SHA-1: d62f304030fa57f3257e5e285d692c663b11ff3e SHA-256: 48f13eef4800a2719d7d384c74a9b2e7453a2115962b64d58af42199fa664249
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm and an embedded URI pointing to a website that appears to be a search result for 'Hisense portable ac manual'. This suggests a phishing or SEO scam tactic designed to drive traffic to potentially malicious sites. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=hisense+portable+ac+manual
    • https://milevewon.weebly.com/uploads/1/3/4/0/134041257/povafajuji.pdf
    • https://sezowizubuv.weebly.com/uploads/1/3/0/8/130874308/438048.pdf
    • https://wabomojufodeze.weebly.com/uploads/1/3/3/9/133999178/9767786.pdf
    • https://dosaremuxabibi.weebly.com/uploads/1/3/0/7/130739916/14fb87edceebf6.pdf
    • https://jevamupoledi.weebly.com/uploads/1/3/4/7/134712268/vitafeketam.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/fb07e70f-a486-4fe0-a8fb-d2dcd100cc9b/are_any_aa_meetings_open.pdf
    • https://s3.amazonaws.com/nonipesikiri/73062226678.pdf
    • https://s3.amazonaws.com/buwosevax/bigoxapetelapen.pdf
    • https://uploads.strikinglycdn.com/files/db9356db-2b55-4658-8244-57dd236862b5/56309070982.pdf
    • https://cd753cf5-d90a-4073-9c55-931a76e81761.filesusr.com/ugd/8826df_2558898168634d978bcb51407a17d736.pdf?index=true
    • https://ee6bc897-aa08-459d-b6e6-b1b1d69fcba1.filesusr.com/ugd/7ba596_12c46a025c15476981c12d9d3ffa510c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0fae3b04-4305-4b34-9ecf-a823dde16006/36337645231.pdf
    • https://a98f38e8-5810-4fc9-be6a-c3d78c7c4f9f.filesusr.com/ugd/921909_25fb997f3b604306b98513a48fd01309.pdf?index=true
    • https://67a4337f-2b79-4d04-9c1d-2578c80f4945.filesusr.com/ugd/964009_ae28c8fd9b014536b98ebf57f24fc89f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fc97baf2-eab0-4f16-9199-75121f963319/41041979400.pdf
    • https://ba3a7bb5-edd2-4228-b29c-cf272df6a868.filesusr.com/ugd/bd1c09_5f13a9e664fd40fcb69f56f904445579.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ca4f2a93-c864-4d12-81aa-b3143517c65a/1996_polaris_xplorer_400_tire_size.pdf
    • https://21a67f6d-2aea-439f-a910-ed4feb6be009.filesusr.com/ugd/173616_abaa2fc719874b03b97c19d8873bb6a2.pdf?index=true
    • https://s3.amazonaws.com/lorifawuvawot/48159210286.pdf
    • https://e2604e0b-f95a-4acb-b53f-a7db3827b2a1.filesusr.com/ugd/225520_00d95d2ba7a3434a8ee11d7a8f3d7ecb.pdf?index=true
    • https://s3.amazonaws.com/gonafoziguwewe/zexewonaraforaxujiga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010298.bin
7399fcec35536967a8a5e4c33d0c0df777c3c827b0a999aca463aecaf7248d57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10298 5180 bytes
font_01_sfnt_off00011418.bin
691971c9b5b53de6fd159b0f43c465d51ee6f9bbcf762a81094c5e098e0f6a74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11418 10292 bytes
font_02_sfnt_off00013755.bin
ad895e76da48001851030ef04915152bd3a3157b00b9f711ff0c52f2c28fc569		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13755 16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.