Malicious PDF — malware analysis report

Static analysis result for SHA-256 4cb7b25b5a672290…

MALICIOUS

PDF

80.5 KB Created: 2021-03-07 10:49:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c4cbc2b14e1a8a81335c9a3d6f79840e SHA-1: d0c8c963c884a9daa2df29e19cab99baef3f3d91 SHA-256: 4cb7b25b5a67229086d3e39553476ed72d1646f51092b6f9e1e5478fc776b211
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains a high number of external links, indicative of a link farm or phishing campaign, as flagged by the PDF_SEO_LINK_FARM heuristic. The presence of 'powershell_5.0_free_download' in the document text, coupled with the ML_NYX_PDF_MALICIOUS and CLAMAV_DETECTION firings, strongly suggests malicious intent. The embedded URLs likely lead to further malicious content or phishing pages, and the document's structure is designed to evade detection while maximizing link exposure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=navy+fitrep+instruction
    • https://cdn.sqhk.co/pelonulu/iajjicZ/spades_card_game_rules.pdf
    • https://midodelawipage.weebly.com/uploads/1/3/4/5/134585137/loxigan.pdf
    • https://cdn.sqhk.co/lifudidu/igeghLI/find_my_phone_by_number_location.pdf
    • http://shopbest.online/windows_powershell_5.0_free_download8avpd.pdf
    • https://cdn.sqhk.co/lelogivotosu/cVhahiN/skate_space_198.pdf
    • https://cdn.sqhk.co/padasagam/Vgd0gh0/2131684434.pdf
    • http://help-verification.com/27173550819j2slu.pdf
    • https://cdn.sqhk.co/xenivoronizu/hgjjjij/wuguwo.pdf
    • https://ditaluli.weebly.com/uploads/1/3/5/3/135325413/3486976.pdf
    • http://forkidsshop.online/reported_speech_explained_simply1a1ky.pdf
    • https://cdn.sqhk.co/metusoteliza/ichgvja/fuvewomonenem.pdf
    • https://cdn.sqhk.co/fumamimed/dgc6ghu/91380390443.pdf
    • https://cdn.sqhk.co/xenotami/coAkji8/average_calculator_python.pdf
    • https://static.s123-cdn-static.com/uploads/4379374/normal_600496a095da0.pdf
    • https://cdn.sqhk.co/foxezevewa/icNhhii/party_city_locations_melrose_park.pdf
    • http://openplafond.xyz/balanceamento_de_equaes_quimicas_9_ano258hd.pdf
    • http://zusagukitu.mywebcommunity.org/venev.pdf
    • https://static.s123-cdn-static.com/uploads/4493541/normal_5fe275d74743c.pdf
    • https://tamilifikex.weebly.com/uploads/1/3/5/3/135321075/malevujubiri_vipejiwu_devegowakadinan_jixeni.pdf
    • https://cdn.sqhk.co/dodirorip/gejjrjd/hymns_of_praise_book.pdf
    • http://wadoromutisagar
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://wadoromutisagar.myartsonline.com/sevozusudafut.pdf
    • http://vajapojaperusu.myartsonline.com/fupovod.pdf
    • http://geforagegi.atwebpages.com/install_kali_linux_on_raspberry_pi_4b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1b5.bin
9bca318ab1896a4997bff0a13cc66794539d691a141b5f3edab3429580600550		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1B5 4988 bytes
font_01_sfnt_off000102c8.bin
d16b0e00fb5c6cde617e170f24625cc21e4e774a9ba996c8366a9c4739758196		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102C8 10616 bytes
font_02_sfnt_off00012687.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12687 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.