Malicious PDF — malware analysis report

Static analysis result for SHA-256 494ee2c0c638c8b6…

MALICIOUS

PDF

83.0 KB Created: 2021-04-26 03:25:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 972abb96341bcb0e5d9441a51758eb3b SHA-1: 2733fb68cfb81d7f96805063464ba09eddf66d98 SHA-256: 494ee2c0c638c8b6ceb5aceb995de46eb5f1687f676a6f70e9a944eb1248f30e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, a technique often used to redirect users to malicious websites. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as a phishing trojan. While no scripts were directly extracted, the PDF structure and embedded links suggest an attempt to exploit users by masquerading as legitimate content to drive traffic to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=gigabyte+ga-x58a-ud3r+rev+1.0+manual PDF link annotation
    • https://cdn.sqhk.co/fafojipedul/gihi7if/29020132191.pdfIn PDF document text
    • http://tells.fun/what_are_some_other_words_for_left_outslruq.pdfIn PDF document text
    • http://bestunew.xyz/zefatarejifepuzdvgn.pdfIn PDF document text
    • http://bexowobiminefi.mywebcommunity.org/fopivugomugisome.pdfIn PDF document text
    • http://gesetaxoxu.sportsontheweb.net/22537881565.pdfIn PDF document text
    • http://50offit.pro/38131453073vbz0d.pdfIn PDF document text
    • https://cdn.sqhk.co/benibavagoge/gfjieij/kaiser_pharmacy_hours_near_me.pdfIn PDF document text
    • http://jefevivavifax.scienceontheweb.net/how_to_adjust_defiant_motion_sensor.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/lorugipopuxe/73250623532.pdfIn PDF document text
    • https://41c240d9-b4af-4f88-8fa4-2a41cce3a287.filesusr.com/ugd/01bc73_cf66f1f683e741a1986534a9f1df0556.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/sonutopexaramuf/penurexerabuwukikofebev.pdfIn PDF document text
    • https://s3.amazonaws.com/xijalovelokolep/xavowifej.pdfIn PDF document text
    • https://s3.amazonaws.com/degagaziv/cheat_engine_6._7_pc.pdfIn PDF document text
    • https://856cb5e6-6c81-45ce-9604-b57907a15cd2.filesusr.com/ugd/cc3ca9_103a9b119aad40049ce936f3d4eb61e4.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/vibuvomomuv/33103494567.pdfIn PDF document text
    • https://s3.amazonaws.com/midaguvimabof/90440005813.pdfIn PDF document text
    • https://s3.amazonaws.com/rekawexuretowo/fusidixodoma.pdfIn PDF document text
    • https://e1eccfe9-8888-4f52-a155-e9c8e84e0752.filesusr.com/ugd/4fb05f_3f80515f6b5e40f59ae850f51ec818aa.pdf?index=trueIn PDF document text
    • https://ce099f17-eb12-430b-a452-8d789b3ee5a8.filesusr.com/ugd/aef5b7_8ac23baf3af848f1b0fac0b97b4ffe13.pdf?index=trueIn PDF document text
    • https://add83a7c-0e31-48b3-928b-061d82ba9144.filesusr.com/ugd/205ae4_af5399ad53524c829cc189955d158ab6.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gowebabuxogiro/stock_ageing_analysis_sap_report.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f92f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF92F 6108 bytes
SHA-256: 93e8a7f9b60fc290a3edaf292ea2dca8937505e0ae53d098ce649b4f914f068e
font_01_sfnt_off00010e06.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E06 14176 bytes
SHA-256: 8ab2f8d5df007a6ae29e746240bd257102dc4d7ec15a54a4e36534216c8aead0

Open this report in the interactive analyzer, or submit your own file for analysis.